This alert triggers whenever an administrator role is assigned either to an Okta user or a group. Impact An adversary may attempt to assign an administrator role/privileges to an Okta user or a group in order to assign additional permissions to a compromised user account and maintain access to their target's environment. Mitigation Verify if the activity is legitimate and if the user is authorized to do it. If not, revert the actions and investigate further. MITRE Tactic: TA0004 MITRE Technique: T1078

This alert triggers whenever there is an attempt to bypass MFA. Impact Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. Mitigation Verify if this action is legitimate and that the user is aware and authorized to do it. Re-enable MFA if it is disabled. Investigate further for any other malicious activities that occurred around this time. MITRE Tactic: TA0006 MITRE Technique: T1621

This alert triggers when more than 2 MFA push notifications are rejected by an Okta user in a time interval of 10 minutes. Impact If an attacker obtains an employee's username and password, they may attempt to log in to your organization's Okta portal over and over again, which sends a push notification (approve/deny) to the employee each time. The user may deny the attempts for a while, but eventually become fatigued and approve one of them, granting the attacker access to your environment. This attack technique is known as MFA fatigue. Mitigation Verify if the MFA push notifications are legitimate and are the result of a user action. If the legitimacy can't be verified, investigate further to see if there is any brute force attempt from a specific IP address/for a specific user. Please see the below link to learn more about this technique and preventions: https://www.rsa.com/multi-factor-authentication/combatting-mfa-fatigue-and-preventing-prompt-bombing-attacks/ MITRE Tactic: TA0006 MITRE Technique: T1621

This alert triggers whenever more than 10 failed Okta login attempts are observed from the same source IP Address within an interval of 5 minutes Impact Multiple failed login attempts in a short time frame might indicate a potential brute-force attack. Mitigation Check if the failed login attempts are genuine attempts. If not, investigate further. Make sure to enable MFA for all the user accounts. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert triggers whenever a user or an admin successfully logs into their Okta account. This alert is one of the building blocks for the flow alert 'Okta - Flow Alert - Possible Persistence Established' Note: Since this is an informational event and is part of a flow alert, administrators can choose not to enable webhook on it.

This alert triggers whenever more than 5 failed Okta login attempts are observed for the same user account or the Okta admin app within an interval of 10 minutes Impact Multiple failed login attempts in a short time frame might indicate a potential brute-force attack against the relevant accounts. Mitigation Check if the failed login attempts are genuine attempts. If not, investigate further. Make sure to enable MFA for all the user accounts. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert triggers whenever a new API Token is created in an Okta account. Impact If an attacker obtains access to an Okta account that has administrator privileges, they may attempt to create an API token as a persistence mechanism. Mitigation Verify if the user is aware of this newly created token and that the activity is legitimate. If not, disable/delete the token and investigate further for any malicious activities in the account. MITRE Tactic: TA0005 MITRE Technique: T1134

This alert triggers when more than 2 user accounts are locked out in a time interval of 10 minutes. Impact User account lockout could indicate a potential brute force attack. Mitigation Verify if the user account lockout is due to some internal policy changes. If not, investigate for any potential brute force attempt. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert triggers whenever Okta identifies an activity as suspicious and logs it as such. This alert is based on the below 3 events and considers these actions as suspicious: 1. user.account.report_suspicious_activity_by_enduser: User reported suspicious activity. 2. user.session.impersonation.initiate: A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. 3. user.session.impersonation.grant: An impersonation session was granted. Impact Threat actors can perform multiple actions on an Okta account which Okta can detect as suspicious. These logs could indicate a possible compromise. Mitigation Investigate the respective suspicious event to check if there was a compromise or not. MITRE Tactic: TA0004 MITRE Technique: T1098

This alert triggers whenever there is a possible password spray attempt as detected by Okta logs. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. Impact Threat actors may brute force an Okta account using the password spray method to gain initial access. Mitigation Please verify if there was indeed a password spray attempt. If yes, investigate further to check if there was any successful login to any account from the same IP around the same time. It is recommended to enable MFA for the Okta accounts. MITRE Tactic: TA0006 MITRE Technique: T1110 MITRE Sub-Technique: 003

This alert triggers when a user logs in to their Okta account from more than 1 country within a time interval of 2 hours. Authentications from different countries can be caused mainly by 3 reasons: 1. the user is traveling. 2. the user used a VPN solution. 3. the user's credentials were compromised. Impact A user's login activity from more than one country location within a short span of time could indicate their user account was compromised. Mitigation Verify if the login activity is legitimate. If not, investigate further for any signs of compromise. If the user account is compromised, force a password change as well as enable MFA if not done already. MITRE Tactic: TA0001 MITRE Technique: T1078

This alert triggers whenever Okta policies are changed. The policy changes can be such as; deactivated, deleted, modified, overridden, etc. Impact A threat actor may change Okta policy to escalate their privileges and perform further malicious actions. Mitigation Verify if the policy changes are known and if the user performing these actions is authorized to do so. If not, revert the actions and investigate further. MITRE Tactic: TA0004 MITRE Technique: T1484

This alert triggers whenever MFA factors are disabled, suspended, or removed on user accounts. Events related to these actions include: user.mfa.factor.deactivate - deactivation of MFA on user accounts. user.mfa.factor.reset_all - Reset all factors or authenticator enrollments for the user. system.mfa.factor.deactivate - an admin has disabled a factor for MFA. user.mfa.factor.suspend - Suspend factor or authenticator enrollment method for the user. Impact An adversary may deactivate or suspend MFA for an Okta user account in order to weaken the authentication requirements for the account. Mitigation Verify if this activity is known and legitimate. if not, investigate further and revert the actions. Check if any other malicious/suspicious activities occurred around the time these events were logged. MITRE Tactic: TA0005 MITRE Technique: T1556 MITRE Sub-Technique: 006

This rule triggers whenever the client user-agent is non-browser. Some examples of non-browser user agents are Postman, curl, etc. In some cases, usage of a non-browser solution can indicate a malicious actor trying to get access to the organization's Okta environment. Impact Threat actors can use tools with non-browser user agents to perform malicious actions on your Okta platform. Mitigation Check the user-agent in use for its legitimate usage. If not, block the source IP from accessing your OKTA environment and investigate further if needed. MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 001

This rule triggers for successful user login activities from a new country that were not seen before. This might be an indication of an external actor attempting to gain access to a user account or an employee who is traveling to a new location and working from there. Please fine-tune this alert as per your business requirements. Impact A successful login from an unfamiliar country might be an indicator of compromise. Mitigation Verify if the login was legitimate. If not legitimate, further investigate according to company policy. If needed, enforce password change as well as MFA. MITRE Tactic: TA0001 MITRE Technique: T1078

This rule triggers for access to the Okta admin app from a new country that was not seen before. This might be an indication of an external actor attempting to gain access to an admin account or an employee who is traveling to a new location and working from there. Please fine-tune this alert as per your business requirements. Impact Successful access to an admin app from an unfamiliar country might be an indicator of compromise. Mitigation Verify if the app access was legitimate. If not legitimate, further investigate according to company policy. If needed, enforce password change as well as MFA. MITRE Tactic: TA0001 MITRE Technique: T1078

This alert triggers when a threat actor gains access to a user/admin account after multiple failed login attempts. Impact Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute-forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. Mitigation Check if the user is aware of the login attempts and if multiple failed attempts are caused due to some policy changes. If not, investigate for the successful login attempt and any actions performed by the user afterward. If needed, block the source IP address, and reset the user passwords. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert triggers when a threat actor after gaining access to an Okta user account as a result of a successful brute-force attack, grants admin privileges to that user to elevate their privileges. Impact Threat actors can elevate their privileges by granting admin privileges to an Okta user account. Mitigation Verify if this action is known and if that user should have admin privileges. If not, revoke the privileges and investigate further for any other malicious activities that happened around the same time. MITRE Tactic: TA0004 MITRE Technique: T1098

This alert triggers when a threat actor after gaining access to a user/admin Okta account as a result of a successful brute-force attack, creates a new API token as a persistence mechanism. Impact Threat actors can create an API token to maintain persistence after gaining initial access to a user/admin account. Mitigation Verify if the user is aware of this newly created API token. If not, disable/delete the API token and investigate it further. MITRE Tactic: TA0003 MITRE Technique: T1098 MITRE Sub-Technique: 001

This alert triggers whenever a logged event is marked as a suspected threat by Okta. Impact A suspected threat could indicate a malicious activity. Mitigation Check the corresponding Okta event which was marked as suspected threat by Okta. Investigate for the root cause and correlate with other logged events around the same time this event was logged.

'Summary This rule detects if there are no logs for Okta in the customer account. Note- This alert should configured with relevant app & subsystem. Define timeframes/conditions that directly align with business objectives. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562'