Okta Two or More Rejected Okta Pushes

Name:Okta Two or More Rejected Okta Pushes
id:d93f785e-4c2c-4262-b8c7-12b77a13fd39
version:3
date:2024-10-17
author:Michael Haag, Marissa Bower, Splunk
status:deprecated
type:TTP
Description:**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window.
Data_source:

search:`okta` outcome.reason="User rejected Okta push verify" OR (debugContext.debugData.factor="OKTA_VERIFY_PUSH" outcome.result=FAILURE legacyEventType="core.user.factor.attempt_fail" "target{}.detailEntry.methodTypeUsed"="Get a push notification")
| bin _time as bin_time span=10m
| eval user=coalesce(actor.alternateId,user), user=mvindex(split(user, "@"), 0), event_time = _time
| stats earliest(event_time) as event_time, min(_time) as firsttime max(_time) as lasttime values(client.ipAddress) as client.ipAddress, values(outcome.reason) as outcome, values(src_ip) AS src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(eventType) as eventType, values(outcome.result) as action, values(legacyEventType) as legacyEventType values(index) as idx, values(sourcetype) as st count by bin_time user host
| rename bin_time as timeWindow
| convert ctime(*timeWindow) ctime(firsttime) ctime(lasttime)
| where count >= 2
| `okta_two_or_more_rejected_okta_pushes_filter`

how_to_implement:This analytic is specific to Okta and requires Okta logs to be ingested.
known_false_positives:False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.
References:
  -https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Suspicious Okta Activity'
    - 'Okta MFA Exhaustion'
  asset_type:Infrastructure
  confidence:80
  impact:80
  message:$user$ account has rejected multiple Okta pushes.
  mitre_attack_id:
    - 'T1110'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'user'
    - 'src_ip'
    - 'eventType'
    - 'status'
  risk_score:64
  security_domain:access

tests:
  :
manual_test:None