Quick Start Security for Okta
Thank you!
We got your information.
Coralogix Extension For Okta Includes:
Dashboards - 1
Gain instantaneous visualization of all your Okta data.
Alerts - 14
Stay on top of Okta key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Admin privilege granted
This alert triggers whenever an administrator role is assigned either to an Okta user or a group. Impact An adversary may attempt to assign an administrator role/privileges to an Okta user or a group in order to assign additional permissions to a compromised user account and maintain access to their target's environment. Mitigation Verify if the activity is legitimate and if the user is authorized to do it. If not, revert the actions and investigate further. MITRE Tactic: TA0004 MITRE Technique: T1078
Multiple Login Failure From a Source
This alert triggers whenever more than 10 failed Okta login attempts are observed from the same source IP Address within an interval of 5 minutes Impact Multiple failed login attempts in a short time frame might indicate a potential brute-force attack. Mitigation Check if the failed login attempts are genuine attempts. If not, investigate further. Make sure to enable MFA for all the user accounts. MITRE Tactic: TA0006 MITRE Technique: T1110
Building Block - Successful Login
This alert triggers whenever a user or an admin successfully logs into their Okta account. This alert is one of the building blocks for the flow alert 'Okta - Flow Alert - Possible Persistence Established' Note: Since this is an informational event and is part of a flow alert, administrators can choose not to enable webhook on it.
Multiple Login Failure For an Account
This alert triggers whenever more than 5 failed Okta login attempts are observed for the same user account or the Okta admin app within an interval of 10 minutes Impact Multiple failed login attempts in a short time frame might indicate a potential brute-force attack against the relevant accounts. Mitigation Check if the failed login attempts are genuine attempts. If not, investigate further. Make sure to enable MFA for all the user accounts. MITRE Tactic: TA0006 MITRE Technique: T1110
API Token Created
This alert triggers whenever a new API Token is created in an Okta account. Impact If an attacker obtains access to an Okta account that has administrator privileges, they may attempt to create an API token as a persistence mechanism. Mitigation Verify if the user is aware of this newly created token and that the activity is legitimate. If not, disable/delete the token and investigate further for any malicious activities in the account. MITRE Tactic: TA0005 MITRE Technique: T1134
Multiple accounts locked out
This alert triggers when more than 2 user accounts are locked out in a time interval of 10 minutes. Impact User account lockout could indicate a potential brute force attack. Mitigation Verify if the user account lockout is due to some internal policy changes. If not, investigate for any potential brute force attempt. MITRE Tactic: TA0006 MITRE Technique: T1110
Suspicious user activity observed
This alert triggers whenever Okta identifies an activity as suspicious and logs it as such. This alert is based on the below 3 events and considers these actions as suspicious: 1. user.account.report_suspicious_activity_by_enduser: User reported suspicious activity. 2. user.session.impersonation.initiate: A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. 3. user.session.impersonation.grant: An impersonation session was granted. Impact Threat actors can perform multiple actions on an Okta account which Okta can detect as suspicious. These logs could indicate a possible compromise. Mitigation Investigate the respective suspicious event to check if there was a compromise or not. MITRE Tactic: TA0004 MITRE Technique: T1098
Impossible Travel Anomaly
This alert triggers when a user logs in to their Okta account from more than 1 country within a time interval of 2 hours. Authentications from different countries can be caused mainly by 3 reasons: 1. the user is traveling. 2. the user used a VPN solution. 3. the user's credentials were compromised. Impact A user's login activity from more than one country location within a short span of time could indicate their user account was compromised. Mitigation Verify if the login activity is legitimate. If not, investigate further for any signs of compromise. If the user account is compromised, force a password change as well as enable MFA if not done already. MITRE Tactic: TA0001 MITRE Technique: T1078
An Unfamiliar non-browser user-agent observed
This rule triggers whenever the client user-agent is non-browser. Some examples of non-browser user agents are Postman, curl, etc. In some cases, usage of a non-browser solution can indicate a malicious actor trying to get access to the organization's Okta environment. Impact Threat actors can use tools with non-browser user agents to perform malicious actions on your Okta platform. Mitigation Check the user-agent in use for its legitimate usage. If not, block the source IP from accessing your OKTA environment and investigate further if needed. MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 001
Successful user Login from an unfamiliar country
This rule triggers for successful user login activities from a new country that were not seen before. This might be an indication of an external actor attempting to gain access to a user account or an employee who is traveling to a new location and working from there. Please fine-tune this alert as per your business requirements. Impact A successful login from an unfamiliar country might be an indicator of compromise. Mitigation Verify if the login was legitimate. If not legitimate, further investigate according to company policy. If needed, enforce password change as well as MFA. MITRE Tactic: TA0001 MITRE Technique: T1078
Flow Alert - Possible Brute Force Attempt
This alert triggers when a threat actor gains access to a user/admin account after multiple failed login attempts. Impact Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute-forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. Mitigation Check if the user is aware of the login attempts and if multiple failed attempts are caused due to some policy changes. If not, investigate for the successful login attempt and any actions performed by the user afterward. If needed, block the source IP address, and reset the user passwords. MITRE Tactic: TA0006 MITRE Technique: T1110
Flow Alert - Possible Privilege Escalation
This alert triggers when a threat actor after gaining access to an Okta user account as a result of a successful brute-force attack, grants admin privileges to that user to elevate their privileges. Impact Threat actors can elevate their privileges by granting admin privileges to an Okta user account. Mitigation Verify if this action is known and if that user should have admin privileges. If not, revoke the privileges and investigate further for any other malicious activities that happened around the same time. MITRE Tactic: TA0004 MITRE Technique: T1098
Flow Alert - Possible Persistence Established
This alert triggers when a threat actor after gaining access to a user/admin Okta account as a result of a successful brute-force attack, creates a new API token as a persistence mechanism. Impact Threat actors can create an API token to maintain persistence after gaining initial access to a user/admin account. Mitigation Verify if the user is aware of this newly created API token. If not, disable/delete the API token and investigate it further. MITRE Tactic: TA0003 MITRE Technique: T1098 MITRE Sub-Technique: 001
An event with suspected threat occurred
This alert triggers whenever a logged event is marked as a suspected threat by Okta. Impact A suspected threat could indicate a malicious activity. Mitigation Check the corresponding Okta event which was marked as suspected threat by Okta. Investigate for the root cause and correlate with other logged events around the same time this event was logged.
Integration
Learn more about Coralogix's out-of-the-box integration with Okta in our documentation.