Malicious authentication attempt detected by Okta ThreatInsight

okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the okta integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect malicious Okta authentication attempts based on Okta ThreatInsight.

Strategy

This rule lets you monitor Okta authentication attempts where the @evt.name is security.threat.detected and the @debugContext.debugData.threatSuspected value is true.

Okta ThreatInsight uses these attributes to flag authentication attempts that are deemed as threats.

Triage and response

  1. Determine if the source IP {{@network.client.ip}} is anomalous within the organization:
    • Does threat intelligence indicate that this IP has been associated with malicious activity?
    • Is the geo-location, ASN, or domain uncommon for the organization?
    • Use the Cloud SIEM - IP Investigation dashboard to see if the IP address has taken other actions.
  2. Investigate the debugContext.debugData.threatDetections field to determine the threat reason and level.
  3. If the IP is deemed malicious:
    • Confirm that no successful authentication attempts have been made.
    • If a successful authentication attempt is observed, begin your company’s incident response process.

Changelog

  • 13 September 2023 - Updated critical case severities to medium and medium case severities to low.
PREVIEWING: jen.gilbert/cdocs-build