Okta

Human Resources Management (HRM)

Okta - Identity management service for secure single sign-on and access management.

Detection Rules for Okta

Provider: Okta

App : Okta MITRE Tactic MITRE Technique Criticality
Suspicious Login Locations Initial Access T1078: Valid Accounts High
Investigation Actions (APIs) Use GeoIP lookup APIs to check unusual login locations.
Query IP reputation databases (e.g., AbuseIPDB).
Incident Creation Criteria Create an incident if the login is from a flagged IP or if multiple unusual locations are detected for the same user.information.
MFA Bypass or Failure Defense Evasion T1556: Modify Authentication Process High
Investigation Actions (APIs) Review recent changes in MFA policies via Okta API.
Check IP and device reputation for login attempts.
Incident Creation Criteria Create an incident if there are multiple failed MFA attempts from a specific location or if MFA is bypassed repeatedly.
Excessive Failed Login Attempts Credential Access T1110: Brute Force Medium
Investigation Actions (APIs) Analyze frequency of failed attempts per user or IP.
Correlate with user access patterns.
Incident Creation Criteria Create an incident if failed attempts exceed a threshold, suggesting possible brute force activity.
Access from Unusual Device or Browser Initial Access T1078: Valid Accounts Medium
Investigation Actions (APIs) Use device fingerprinting APIs.
Check for new devices associated with the user.
Incident Creation Criteria Create an incident if access occurs from an unfamiliar device not previously associated with the account.
Unauthorized Admin Access Privilege Escalation T1078.003: Privileged Accounts High
Investigation Actions (APIs) Retrieve user access logs.
Check for account privilege changes and review recent administrative actions.
Incident Creation Criteria Create an incident if privilege escalation occurs without authorization, especially if it's a non-admin attempting access.
Multiple IPs for Single Session Collection T1021.001: Remote Services Medium
Investigation Actions (APIs) Review session logs for concurrent logins.
Check for split tunneling or VPN usage.
Incident Creation Criteria Create an incident if multiple IP addresses are detected in the same session, indicating possible session hijacking.
Deactivated User Login Attempts Persistence T1078: Valid Accounts Medium
Investigation Actions (APIs) Verify user account status.
Review login attempt logs to identify patterns in deactivated accounts.
Incident Creation Criteria Create an incident if a deactivated account attempts to log in, as it may indicate unauthorized access attempts.
Unusual Access Time Patterns Persistence T1078: Valid Accounts Medium
Investigation Actions (APIs) Analyze access time against typical login patterns.
Check for activity during non-business hours.
Incident Creation Criteria Create an incident if multiple logins occur outside of usual business hours or established user patterns.
Okta Configuration Changes Defense Evasion T1600: Modify System Image High
Investigation Actions (APIs) Monitor API calls for configuration changes.
Review admin actions and log any modifications.
Incident Creation Criteria Create an incident if unauthorized configuration changes are detected, especially for security or MFA settings.
Suspicious Password Reset Requests Credential Access T1078.001: Password Guessing Medium
Investigation Actions (APIs) Track frequency of password reset requests.
Correlate with failed login attempts.
Incident Creation Criteria Create an incident if password reset attempts appear excessive or correspond with failed logins, suggesting account targeting.
API Key Abuse or Anomalies Initial Access T1078: Valid Accounts High
Investigation Actions (APIs) Monitor for unusual API key usage patterns.
Check if API key permissions align with user’s role.
Incident Creation Criteria Create an incident if API key usage deviates from established patterns, indicating possible key abuse or leakage.
Bulk User Deactivations Impact T1531: Account Access Removal High
Investigation Actions (APIs) Review logs for recent user deactivations.
Confirm if actions were authorized by an admin.
Incident Creation Criteria Create an incident if bulk deactivations are not aligned with administrative actions, suggesting possible malicious intent.

APIs and Their Scopes

App : Okta Required API Scopes Required Usage
Suspicious Login Locations /api/v1/logs okta.logs.read Retrieve user login logs and detect unusual locations.
MFA Bypass or Failure /api/v1/users/{userId}/factors okta.users.read, okta.factors.read Check for bypass attempts and failed MFA events.
Excessive Failed Login Attempts /api/v1/logs okta.logs.read Monitor user login activity and detect high numbers of failed attempts.
Access from Unusual Device or Browser /api/v1/logs okta.logs.read Track device and browser information for logins to identify unusual access patterns.
Unauthorized Admin Access /api/v1/events okta.events.read Identify changes in admin privileges and log any unauthorized access attempts.
Multiple IPs for Single Session /api/v1/sessions/{sessionId} okta.sessions.read Track concurrent sessions and detect multiple IP addresses in a single session.
Deactivated User Login Attempts /api/v1/users/{userId} okta.users.read Verify account status and detect login attempts on deactivated accounts.
Unusual Access Time Patterns /api/v1/logs okta.logs.read Analyze access time to detect patterns deviating from usual business hours.
Okta Configuration Changes /api/v1/logs okta.logs.read Track configuration changes within Okta, especially around security settings.
Suspicious Password Reset Requests /api/v1/users/{userId} /lifecycle/reset_password okta.users.manage Monitor and verify the frequency of password reset requests.
API Key Abuse or Anomalies /api/v1/apps/{appId}/tokens okta.apps.read Track API key usage patterns and identify possible abuse.
Bulk User Deactivations /api/v1/users okta.apps.read Review recent user deactivations and confirm authorization for bulk actions.

Reports and Widgets for CISO

Report Name Widgets Description
Login Activity Overview Total Logins Summarizes login activity, highlighting failed login attempts and geolocation of suspicious logins.

Failed Logins

Suspicious Logins by Location

MFA Success and Failure Rates MFA Success Rate Tracks multifactor authentication trends, identifying potential MFA bypass and geolocation of MFA failures.

MFA Failure Rate by Location

MFA Bypass Attempts

Access Patterns by Device/Browser Devices with High Login Volume Analyzes login attempts by device and browser, flagging unusual device/browser patterns.

Browser Usage Trends

Unusual Device Access

Administrative Changes Recent Privilege Escalations Reports on administrative actions, particularly unauthorized access attempts or unexpected privilege escalations.

Role Changes by User

Unauthorized Admin Logins

Deactivated and Suspended Users Deactivated User Access Attempts Shows login attempts by deactivated or suspended users, providing insights into potential policy violations or insider threats.

Suspended Accounts Activity

Unusual Access Times Logins Outside Business Hours Highlights access attempts that occur outside of normal business hours or other access anomalies.

Time-based Access Anomalies

Configuration Change Logs Recent Okta Config Changes Monitors configuration changes in Okta, particularly security-sensitive settings such as password policies and MFA configuration.

Security Setting Modifications

API Key Activity API Key Usage by IP Tracks usage of API keys, including geolocation and request volume to detect anomalies or abuse.

High-Volume API Requests

Unauthorized API Key Access

Bulk Actions Monitoring Bulk User Creation Displays any bulk changes in user provisioning, such as mass deactivations, to ensure that these actions are authorized and not signs of misuse.

Bulk User Deactivation

Group Assignment Changes

Password Reset and Account Recovery Password Reset Attempts Monitors frequency and success rate of password reset and account recovery requests, helping identify account compromise attempts.

High Frequency Password Resets

Account Recovery Success/Failure Rate