hunting/okta/queries/credential_access_mfa_bombing_push_notifications.toml

[hunt]
author = "Elastic"
description = """
This hunting query identifies MFA bombing attacks in Okta. Adversaries may attempt to flood a user with multiple MFA push notifications to disrupt operations or gain unauthorized access to accounts. This query identifies when a user has more than 5 MFA deny push notifications in a 10 minute window.
"""
integration = ["okta"]
uuid = "223451b0-6eca-11ef-a070-f661ea17fbcc"
name = "Rapid MFA Deny Push Notifications (MFA Bombing)"
language = ["ES|QL"]
license = "Elastic License v2"
notes = [
    "`okta.actor.alternate_id` is the targeted user account.",
    "Pivot and search for `event.action` is `user.authentication.auth_via_mfa` to determine if the target user accepted the MFA push notification.",
    "If a MFA bombing attack is suspected, both username and password are required prior to MFA push notifications. Thus the credentials are likely compromised.",
]
mitre = ['T1621']
query = [
"""
from logs-okta*
| where @timestamp > NOW() - 7 day

// Truncate the timestamp to 10 minute windows
| eval target_time_window = DATE_TRUNC(10 minutes, @timestamp)

// Filter for MFA deny push notifications
| where event.action == "user.mfa.okta_verify.deny_push"

// Count the number of MFA deny push notifications for each user in each 10 minute window
| stats deny_push_count = count(*) by target_time_window, okta.actor.alternate_id

// Filter for users with more than 5 MFA deny push notifications
| where deny_push_count >= 5
"""
]
[New Hunt] Add Initial Okta Hunting Queries (#4064 ) 2024-09-16 14:36:44 -04:00			`[hunt]`
			`author = "Elastic"`
			`description = """`
			`This hunting query identifies MFA bombing attacks in Okta. Adversaries may attempt to flood a user with multiple MFA push notifications to disrupt operations or gain unauthorized access to accounts. This query identifies when a user has more than 5 MFA deny push notifications in a 10 minute window.`
			`"""`
			`integration = ["okta"]`
			`uuid = "223451b0-6eca-11ef-a070-f661ea17fbcc"`
			`name = "Rapid MFA Deny Push Notifications (MFA Bombing)"`
			`language = ["ES\|QL"]`
			`license = "Elastic License v2"`
			`notes = [`
			"`okta.actor.alternate_id` is the targeted user account.",
			"Pivot and search for `event.action` is `user.authentication.auth_via_mfa` to determine if the target user accepted the MFA push notification.",
			`"If a MFA bombing attack is suspected, both username and password are required prior to MFA push notifications. Thus the credentials are likely compromised.",`
			`]`
			`mitre = ['T1621']`
			`query = [`
			`"""`
			`from logs-okta*`
			`\| where @timestamp > NOW() - 7 day`

			`// Truncate the timestamp to 10 minute windows`
			`\| eval target_time_window = DATE_TRUNC(10 minutes, @timestamp)`

			`// Filter for MFA deny push notifications`
			`\| where event.action == "user.mfa.okta_verify.deny_push"`

			`// Count the number of MFA deny push notifications for each user in each 10 minute window`
			`\| stats deny_push_count = count(*) by target_time_window, okta.actor.alternate_id`

			`// Filter for users with more than 5 MFA deny push notifications`
			`\| where deny_push_count >= 5`
			`"""`
[FR] Minor Typo Fixes (#5784 ) 2026-03-06 17:12:45 -05:00			`]`