Multiple Okta push notifications denied

okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1621-multi-factor-authentication-request-generation

Set up the okta integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect Okta Multi-factor Authentication (MFA) fatigue attacks.

Strategy

This rule lets you monitor the following Okta events to determine when a user has rejected Okta MFA push verify more than once:

  • user.mfa.okta_verify.deny_push for Okta Classic
  • user.authentication.auth_via_mfa with debugContext.debugData.factor of OKTA_VERIFY_PUSH and @evt.outcome of FAILURE for Okta Identity Engine

An attacker may attempt to bombard users with repeated MFA push notifications in order to fatigue them, thereby forcing them into verifying their malicious authentication attempts.

Triage and response

  1. Verify if the user: {{@usr.email}} made the observed authentication attempts.
  2. If the user did not make the observed authentication attempts:
    • Rotate user credentials
    • Confirm that no successful authentication attempts have been made.
    • Investigate the source IP: {{@network.client.ip}} using the Cloud SIEM - IP Investigation dashboard to determine if the IP address has taken other actions.

Changelog

  • 12 September 2023 - Updated query to add distinction between Okta Classic and Okta Identity Engine.
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft