Malicious authentication attempt detected by Okta ThreatInsight
Set up the okta integration.
Goal
Detect malicious Okta authentication attempts based on Okta ThreatInsight.
Strategy
This rule lets you monitor Okta authentication attempts where the @evt.name
is security.threat.detected
and the @debugContext.debugData.threatSuspected
value is true
.
Okta ThreatInsight uses these attributes to flag authentication attempts that are deemed as threats.
Triage and response
- Determine if the source IP
{{@network.client.ip}}
is anomalous within the organization:- Does threat intelligence indicate that this IP has been associated with malicious activity?
- Is the geo-location, ASN, or domain uncommon for the organization?
- Use the Cloud SIEM - IP Investigation dashboard to see if the IP address has taken other actions.
- Investigate the
debugContext.debugData.threatDetections
field to determine the threat reason and level. - If the IP is deemed malicious:
- Confirm that no successful authentication attempts have been made.
- If a successful authentication attempt is observed, begin your company’s incident response process.
Changelog
- 13 September 2023 - Updated
critical
case severities to medium
and medium
case severities to low
.