Okta user reported suspicious activity

okta

Classification:

attack

Set up the okta integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an Okta user reports suspicious activity in response to an end user security notification.

Strategy

This rule monitors the case when an Okta user reports suspicious activity in response to an end user security notification. Suspicious Activity Reporting provides a user with the option to report unrecognized activity from email notifications about account activity. Account activity includes:

  • New sign-on notification
  • Authenticator enrolled
  • Authenticator reset
  • Password changed

Triage and response

  1. Identify the event type (@debugContext.debugData.suspiciousActivityEventType) that occurred and the IP address (@debugContext.debugData.suspiciousActivityEventIp) from which suspicious activity originated.
  2. Determine if any other activity has originated from this address by using the Cloud SIEM - IP Investigation dashboard.
  3. If the activity appears to be harmful:
    • Begin your organization’s incident response process and investigate for any account takeovers.
PREVIEWING: Cyril-Bouchiat/add-vm-package-explorer-doc