Multiple Okta push notifications denied

okta

Classification:

attack

Tactic:

TA0001-initial-access

Set up the okta integration.

Goal

Detect Okta Multi-factor Authentication (MFA) fatigue attacks.

Strategy

This rule lets you monitor the following Okta events to determine when a user has rejected Okta MFA push verify more than once:

  • user.mfa.okta_verify.deny_push for Okta Classic
  • user.authentication.auth_via_mfa with debugContext.debugData.factor of OKTA_VERIFY_PUSH and @evt.outcome of FAILURE for Okta Identity Engine

An attacker may attempt to bombard users with repeated MFA push notifications in order to fatigue them, thereby forcing them into verifying their malicious authentication attempts.

Triage and response

  1. Verify if the user: {{@usr.email}} made the observed authentication attempts.
  2. If the user did not make the observed authentication attempts:
    • Rotate user credentials
    • Confirm that no successful authentication attempts have been made.
    • Investigate the source IP: {{@network.client.ip}} using the Cloud SIEM - IP Investigation dashboard to determine if the IP address has taken other actions.

Changelog

  • 12 September 2023 - Updated query to add distinction between Okta Classic and Okta Identity Engine.
PREVIEWING: rtrieu/product-analytics-ui-changes