Tag: Okta

How to Tell if You Were Attacked in the Recent Okta Security Breach

Posted on by eugene evdokimov

Today, Okta, a leading enterprise identity and access management firm, reported that it had launched an inquiry after the LAPSUS$ hacking group posted screenshots on Telegram. The hackers claimed the pictures were taken after obtaining access to “Okta.com Superuser/Admin and various other systems.”

If your organization uses Okta as its SSO, and you are currently forwarding Okta audit logs to your Coralogix account it is likely that your logs already contain information that can help you investigate if you were attacked. This article will describe the steps you need to create alerts that will notify you if such an event happens.

Get the logs to flow

If you haven’t yet, the first thing you need to do is get the Okta audit logs shipped to Coralogix. The steps are detailed here: Okta Audit Logs.

Deploy Okta Audit extension pack

Now that the data is coming in, you can enable the Okta audit extension pack by following these steps:

  1. Login to your Coralogix account
  2. From the “Data Flow” menu, choose the “Extensions” option
  3. Look for “OKTA Audit” and click the “Deploy” button. Select the application and subsystem names assigned to Okta audit logs

Several alerts and (Kibana) dashboards will be added to your account and will detect anomalies related to this attack. These dashboards will help investigate Okta authentication-related security issues. These alerts (such as ‘Unauthorized admin request,’ ‘A new non-browser like tool used to enter an app,’ and ‘Access admin app event from unknown actor’) can detect this specific breach.

Enable enrichment on relevant fields

To improve the detection even further, you can also enable the security enrichment in Coralogix on the logs from Okta. To do that, follow these simple steps:

  1. From the “Data Flow” menu, choose the “Data Enrichment” option
  2. Add the field “ip” to the “Security Enrichment

Create alerts

  1. Add a standard alert to Coralogix with the following details:
    1. Name: Okta Authentication Attempt from a blacklisted IP
    2. Description: A user or service has attempted to log in via Okta from an IP address on the AlienVault database. See more details here:
    3. Alert Type: Standard
    4. Query: _exists_:ip_suspected
    5. Applications: The application names assigned to Okta audit events
    6. Subsystems: The subsystem names assigned to Okta audit events
    7. Conditions:
      1. Alert when: Notify immediately
  2. Add a unique count alert to Coralogix with the following details:
    1. Name: A user has attempted to log on from multiple locations within an hour
    2. Description: A user or service has attempted to log in via Okta from multiple geographic locations within the last hour
    3. Alert Type: Unique Count
    4. Query: _exists_:request.ipChain.geographicalContext.country AND _exists_:actor.id
    5. Applications: The application names assigned to Okta audit events
    6. Subsystems: The subsystem names assigned to Okta audit events
    7. Conditions:
      1. Unique Count By Key: request.ipChain.geographicalContext.country
      2. Max Unique Values: 1
      3. In Timeframe: 1 Hour
      4. Group Unique Count per Specific Key: Checked
      5. Group By Key: actor.id
  3. After you have done that, we recommend that you’ll take a look at this article and add the alerts mentioned in it too: 
  1. Okta Policy update
  2. OKTA – Revoke user privilege
  3. OKTA – Admin Privilege Granted
  4. Okta – access admin app event from unknown actor
  5. administrative access to Okta
  6. Okta – login from an unfamiliar country

Create Visualization

The steps mentioned above will help you detect and alert about unusual Okta activities, which will indicate malicious activity such as the one done by the LAPSUS$ hacking group. In addition, you can build the following table visualization in Kibana and use it to examine the Okta logs from the past 24 hours to see if there was any alarming activity:

  1. Click on the menu button to the right of ‘All subsystems’ at the top right corner of the Coralogix UI and select “Kibana”
  2. Click on “Visualize” and then on “Create new visualization”
  3. Select “Data Table” visualization type
  4. Under “Metrics,” change the Metric aggregation from “Count” to “Unique Count” and set the field to “request.ipChain.geographicalContext.country.keyword”
  5. Set the “Custom label” to “Countries”
  6. Under “Buckets,” click “Add” and select “Split rows”
  7. In the “Aggregation” field, select “Terms” and set the field to “actor.id.keyword” and set “Size” to the number of Okta users you have
  8. Under “Buckets,” click “Add” and select “Split rows” again
  9. In the “Aggregation” field, select “Terms” and set the field to “actor.displayName.keyword” and set “Size” to the number of Okta users you have
  10. Click the blue “Apply Changes” button (looks like a blue triangle at the top)
  11.  In the “Options” tab set the number of results per page to a number that will make the visualization useful for you.
  12. Click the “Save” button at the top. Now you can add this visualization to any Kibana dashboard that you’d like

You can now check the number of source countries per user across the selected time range at the top right. If you find a user that has connected from multiple locations, especially if this user is a privileged user, you can use this visualization to investigate the behavior of this user in the past to see if this is a new behavior.

If you have any further questions and need assistance, you can reach out to our 24×7 support team via the in-app chat.

Okta Log Insights with Coralogix

Posted on by eugene evdokimov

This post will show you how Coralogix can provide analytics and insights for your Okta logs, both performance, and security.

Okta is one of the leading Identity provider platforms in the world, offering a variety of cloud services including a Single Sign-On solution to manage and secure company user authentication with 3rd party applications.

Okta Logs

Okta generates system events related to your organization’s authentication activity. The data provides an audit trail that helps you understand platform activity. Each log event object describes a single logged action or “event” performed by a certain actor for a certain target.

You can leverage these events data by using Coralogix alerts and dashboards to instantly diagnose problems, spot potential security threats, and get a real-time notification on any event that you might want to observe. Ultimately, this offers a better monitoring experience and more capabilities from your data with minimum effort.

Okta Dashboards

Here are a few examples dashboards we created using the Okta log data. Using fields like displayMessage, eventType, legacyEventType, client.geographicalContext.geolocation, client.geographicalContext.country, actor.displayName, etc..

We were able to create dashboards for:

  • User Overview
  • Events Actions
  • Failed logins view
  • Successful logins view

The options are practically limitless and you may create any visualization you can think of as long as your logs contain that data you want to visualize. For more information on using Kibana, please visit our tutorial.

  • User Overview

  • Event Actions

  • Failed Logins

  • Successful Logins

Okta Alerts

Coralogix User-defined alerts enable you to easily create any alert you have in mind, using complex queries and various conditions heuristics, thus being more proactive with your Okta logs with insights you could never gain or anticipate from a traditional log investigation. Here are some examples of alerts we created using traditional Okta logs data.

The alert Condition can be customized to your pleasing and how it fits or satisfies your needs.

Alert name Description Alert Type Query Alert condition
Okta Policy update Update access policy. Standard legacyEventType: “policy.updated” OR legacyEventType: “policy.rule.updated” NOT “test Infinipoint IdP – with mobile” OR “test Infinipoint IdP – without mobile” NOT “MFA-webauthn-Oktaverify-POC” Notify Immediately
OKTA – Policy Rule Deactivated Deactivate an access policy Standard legacyEventType: “policy.rule.deactivated” Notify Immediately
OKTA – Policy Rule Deactivated Deactivate  a rule in a policy. Standard legacyEventType: “policy.rule.deactivated” Notify Immediately
OKTA – Revoke user privilege Revoke a user privilege from doing something or accessing something Standard legacyEventType: “core.user.admin_privilege.revoked” Notify Immediately
OKTA – Policy Deleted Delete a policy  in okta app Standard legacyEventType: “policy.deleted” Notify Immediately
OKTA – Admin Privilege Granted Promote a user to be an admin Standard debugContext.debugData.privilegeGranted: “admin” OR debugContext.debugData.privilegeGranted: “administrator” Notify Immediately
Okta – login failure A user cannot log in to OKTA Standard legacyEventType:”login failed”  NOT request.ipChain.geographicalContext.city:”ashburn” More than usual
Okta – access admin app event from unknown actor Login to okta admin app from an unknown source Standard eventType:”access admin app” AND NOT actor.alternateId:(root OR admin OR support) Notify Immediately
Okta – unauthorized admin request  an unauthorized  login access request to Okta app Standard actor.alternateId:(support OR root OR admin) AND NOT client.userAgent.browser:chrome Notify Immediately
Okta – non-browser like tool used to enter an app Use curl or wget or a utility that is not meant to browse the web. Standard client.userAgent.rawUserAgent.keyword:/.{0,19}/ Notify Immediately
administrative access to Okta Monitor admin access to okta all admin activity with failure. Standard eventType: “user.session.access_admin_app” AND legacyEventType:failure Notify Immediatly
Okta – Admin app access Monitor admin access to okta app Standard eventType:”access admin app” More than Usual
Okta – login from an unfamiliar country Login to okta from a country that you do not have users in. New Value legacyEventType:”login success” ·      Key to trackBody.countryCode·      Notify on new value in the last 48h
Abnormal amount of unique User Agents in OKTA trying to access Okta from too many user agents that have not been seen before. Unique Count ·      Unique Count KeyClient.userAgent.rawUserAgent

To avoid noise from these Alerts. Coralogix added a utility to allow you  to simulate how the alert would behave. At the end of the alert, click verify Alert.

Need More Help with Okta or any other log data? Click on the chat icon on the bottom right corner for quick advice from our logging experts.