Name:Okta Suspicious Activity Reported id:bfc840f5-c9c6-454c-aa13-b46fd0bf1e79 version:4 date:2024-09-30 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment. Data_source:
-Okta
search:`okta` eventType=user.account.report_suspicious_activity_by_enduser | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_suspicious_activity_reported_filter`
how_to_implement:This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). Additionally, it necessitates the activation of suspicious activity reporting and training for associates to report such activities. known_false_positives:False positives should be minimal, given the high fidelity of this detection. marker. References: -https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Okta Account Takeover' asset_type:Okta Tenant confidence:50 impact:50 message:A user [$user$] reported suspicious activity in Okta. Investigate further to determine if this was authorized. mitre_attack_id: - 'T1078' - 'T1078.001' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'displayMessage' - 'user' - 'eventType' - 'client.userAgent.rawUserAgent' - 'client.userAgent.browser' - 'client.geographicalContext.city' - 'client.geographicalContext.country' risk_score:25 security_domain:access
