Telling More Okta Detection Stories with Google Chronicle

Defensive Cyber Operations

Robust protection comes from layers, and many of you are already familiar with the Swiss Cheese Model. Simply stated, even when you're confident in your primary controls, that confidence only grows with each additional layer added. Because who wants to have a defense that’s built around a single slice of sad cheese, wrapped in a pitiful film of plastic? No thanks, we’ll take that sturdy block of Swiss each and every time.

Of course, given how thin most security teams are spread, robust layering is often easier said than done. Not every security team has the luxury of dedicated Detection Engineers to craft, research and develop custom logic to catch threat actor activity, and not every security team has the time and skill to synthesize and recreate our logic in other SIEM platforms. With this in mind, Okta Security recently published a number of our bespoke detections.

“But,” quoth the game show hosts, “ that’s not all!” Today we’re excited to share that Chronicle and Okta have been collaborating to help these detections reach an even wider audience. And this time around, the Chronicle team threw a few extra slices of cheese on top!

Not only did they rewrite these detections for their environment, they also did their own research and wrote additional detections. You can read more about each of them over at Chronicle’s blog. We’ve described them below too.

To channel the words of Oprah, “You get a new detection, and you get a new detection, and you get a new detection!”

Okta Phishing Detection with FastPass Origin Check

ID

T1566

Technique

Phishing

Chronicle identifier

okta_phishing_detection_with_fastpass_origin_check

Description

Okta provides a platform detection for when a user enrolled in FastPass fails to authenticate via a real-time AiTM phishing proxy.

Okta Reference

Detecting Real-Time Phishing Attacks

Okta System Log Query

eventType eq "user.authentication.auth_via_mfa" AND result eq "FAILURE" AND outcome.reason eq "FastPass declined phishing attempt"

Successful MFA After Multiple Failures

ID

T1110

Technique

Credential Access

Chronicle identifier

okta_mfa_brute_force_attack

Description

Detects a successful login after multiple failed MFA pushes

Okta Reference

Using Workflows to Respond to Anomalous Push Requests

Repeated MFA Rejections by User

ID

T1110

Technique

Brute Force

Chronicle identifier

okta_user_rejected_multiple_push_notifications

Description

NEW: Detects when an Okta user rejects more than 2 Push notifications in a 10 minute window.

Okta Reference

Using Workflows to Respond to Anomalous Push Requests

Okta System Log Query

Okta Identity Engine

eventType eq "user.authentication.auth_via_mfa" AND outcome.result="FAILURE" and outcome.reason="INVALID_CREDENTIALS" and debugContext.debugData.factor eq "OKTA_VERIFY_PUSH"

Okta Classic Engine

eventType eq  "user.mfa.okta_verify.deny_push"

ID

T1539

Technique

Steal Web Session Cookie

Chronicle identifier

okta_suspicious_use_of_a_session_cookie

Description

Detects when an adversary attempts to reuse a stolen web session cookie in a different device that has a different OS, IP, Browser or User Agent.

Okta Reference

Defending against Session Hijacking

Failed Number Challenge

ID

T1621

Technique

Multi-Factor Authentication Request Generation

Chronicle identifier

okta_user_failed_number_challenge_during_push_notification

Description

Detects when an Okta user failed a number challenge during push notification.

Okta Reference

Number Challenge for Okta Verify

Mismatch Between Source and Response for Verify Push Request

ID

T1621

Technique

Multi-Factor Authentication Request Generation

Chronicle identifier

okta_mismatch_between_source_and_response_for_verify_push_request

Description

Okta Mismatch Between Source and Response for Verify Push Request

Okta Reference

Okta and Splunk Combine to Detect Common Attacks

Multiple Failed Users with Invalid Credentials from the same IP

ID

T1078

Technique

Valid Accounts

Chronicle identifier

okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip

Description

NEW: Detects multiple user logins with invalid credentials from a single IP.

Okta Reference

System Log events for Okta ThreatInsight

User Reported Suspicious Activity

ID

T1078

Technique

Valid Account

Chronicle identifier

okta_user_suspicious_activity_reported

Description

NEW: An Okta user reports suspicious activity in response to an end user security notification.

Okta Reference

Suspicious Activity Reporting

Okta System Log Query

eventType eq "user.account.report_suspicious_activity_by_enduser"

Multiple Failed Requests to Access Okta Applications

ID

T1550.004

Technique

Use Alternate Authentication Material: Web Session Cookie

Chronicle identifier

okta_multiple_failed_requests_to_access_applications

Description

Detects multiple failed requests to access applications

Okta Reference

Okta and Splunk Combine to Detect Common Attacks

ThreatInsight Alert: Suspected Brute Force

ID

T1110.001

Technique

Brute Force: Password Guessing

Chronicle identifier

okta_threatinsight_suspected_brute_force_attack

Description

NEW: Okta ThreatInsight detects multiple login failures from the same IP across one or more Okta orgs

Okta Reference

System Log events for Okta ThreatInsight

Okta System Log Query

eventType eq "security.threat.detected" and outcome.reason eq "Login Failures"

ThreatInsight Alert: Suspected Targeted Brute Force

ID

T1110

Technique

Brute Force

Chronicle identifier

okta_threatinsight_targeted_brute_force_attack

Description

NEW: Okta ThreatInsight detects access requests from known malicious IPs targeting a specific org.

Okta Reference

System Log events for Okta ThreatInsight

Okta System Log Query

eventType eq "security.attack.start"

ThreatInsight Alert: Login Failure with High Unknown Users

ID

T1110.004

Technique

Brute Force: Credential Stuffing

Chronicle identifier

okta_threatinsight_login_failure_with_high_unknown_users

Description

Okta's ThreatInsight can identify multiple login failures with high unknown users count from the same IP across one or more Okta orgs.

Okta Reference

System Log events for Okta ThreatInsight

Okta System Log Query

eventType eq "security.threat.detected" AND outcome.reason co "Login failures with high unknown users count"

ThreatInsight Alert: Suspected Password Spray Attack

ID

T1110.003

Technique

Brute Force: Password Spraying

Chronicle identifier

okta_threatinsight_suspected_password_spray_attack

Description

Okta's ThreatInsight can identify Password Spray attacks.

Okta Reference

System Log events for Okta ThreatInsight

Okta System Log Query

eventType eq "security.threat.detected" and outcome.reason eq "Password Spray"

Successful Login Evaluated as High Risk

ID

T1078

Technique

Valid Accounts

Chronicle identifier

okta_successful_high_risk_user_logins

Description

NEW: Detects successfully authenticated user logins based on Okta's Behavior Detection pattern analysis.

Okta Reference

Behavior Detection System Log events

Okta System Log Query

outcome.result eq "SUCCESS" and debugContext.debugData.risk co "HIGH"

Okta User Account Lockout

ID

T1078

Technique

Valid Accounts

Chronicle identifier

okta_user_account_lockout

Description

NEW: Detects when a user's account is locked out or a user account has reached the lockout limit.

Okta Reference

How Adaptive MFA Helps Mitigate Brute Force Attacks

Okta System Log Query

eventType eq "user.account.lock"

New Okta API Token Created

ID

T1078 

Technique

Valid Accounts

Chronicle Identifier

okta_new_api_token_created

Description

NEW: Detects when a new API token is created.

Okta Reference

Tokens

Okta System Log Query

eventType eq "system.api_token.create"

Out of Hours Successful Authentication

ID

T1078

Technique

Valid Accounts

Chronicle identifier

okta_user_login_out_of_hours

Description

NEW: Detects out of hours successful authentication.

Okta Reference

User Sign-in and Recovery Events in the Okta System Log

User Logins from Multiple Cities

ID

T1078

Technique

Valid Accounts

Chronicle identifier

okta_user_logins_from_multiple_cities

Description

NEW: Detects user logins for the same user from different cities within 24 hours.

Okta Reference

Behavior Detection System Log events

We found this exercise to be fulfilling. Writing YARA-L queries is new to us, but they have been super easy to read and collaborate on. Even if you’re not a Chronicle customer, you might find it valuable to read the detection logic in Chronicle to frame your thinking about how you might go about detecting these types of threats.

What’s next?

Once we’re happy with our detections, phishing resistant factors and other control slices; where should we invest our energy next? I’d suggest considering what an adversary might now need to do for persistence and lateral movement. Perhaps they could socially engineer a new factor, a managed device or even a whole new account?

Best get thinking about how you’d detect:

  • User factors added or modified (user.mfa.factor*)

  • New users created (user.lifecycle.create)

  • Devices added to MDM

  • Remote Monitoring and Management tool installation or execution

  • VM installation on workstations

  • Duplicate hostnames

Gouda luck!

Defensive Cyber Operations

The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.