Okta blocked numerous requests from a malicious IP

okta

Classification:

attack

Set up the okta integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a request is blocked due to a block list rule (such as an IP network zone or location rule).

Strategy

This rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:

  • security.request.blocked

Triage & Response

  1. Verify with the owner of {{@usr.name}} that they were attempting a request to {{@target_app}}.
  2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the title of {{@title}} has communicated elsewhere on the network.
PREVIEWING: safchain/fix-custom-agent