From 02fcd43dbde66918a29c07d484513e241241c349 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 11 Sep 2025 16:24:09 -0400 Subject: [PATCH] [Rule Tuning] Potential Okta MFA Bombing via Push Notifications (#5073) * updated rule logic * adjusted similar rule; added factor specification * updated investigation guide --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- ...ta_mfa_bombing_via_push_notifications.toml | 40 ++++++++++++------- ...l_okta_bombing_via_push_notifications.toml | 39 ++++++++++++------ 2 files changed, 53 insertions(+), 26 deletions(-) diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index e05181c55..81619833e 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2025/09/10" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ user eventually accepts the Okta push notification. An adversary may attempt to for an organization to obtain unauthorized access. """ event_category_override = "event.category" -index = ["filebeat-*", "logs-okta*"] +index = ["filebeat-*", "logs-okta.system*"] language = "eql" license = "Elastic License v2" name = "Potential Okta MFA Bombing via Push Notifications" @@ -60,29 +60,41 @@ references = [ ] risk_score = 73 rule_id = "8a0fbd26-867f-11ee-947c-f661ea17fbcd" -setup = """## Setup - -The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. -""" severity = "high" tags = [ + "Domain: Identity", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta", + "Data Source: Okta System Logs", "Resources: Investigation Guide", ] type = "eql" query = ''' sequence by okta.actor.id with maxspan=10m - [authentication where event.dataset == "okta.system" - and okta.event_type == "user.mfa.okta_verify.deny_push"] with runs=5 - until [authentication where event.dataset == "okta.system" - and (okta.event_type: ( - "user.authentication.sso", - "user.authentication.auth_via_mfa", - "user.authentication.verify", - "user.session.start") and okta.outcome.result == "SUCCESS")] + [ any + where event.dataset == "okta.system" + and ( + okta.event_type == "user.mfa.okta_verify.deny_push" + or ( + okta.event_type == "user.authentication.auth_via_mfa" + and okta.debug_context.debug_data.factor == "OKTA_VERIFY_PUSH" + and okta.outcome.reason == "INVALID_CREDENTIALS" + ) + ) + ] with runs=5 + until + [ any + where event.dataset == "okta.system" + and okta.event_type in ( + "user.authentication.sso", + "user.authentication.auth_via_mfa", + "user.authentication.verify", + "user.session.start" + ) + and okta.outcome.result == "SUCCESS" + ] ''' diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index 7e54f71c4..ad755fa3b 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2025/09/10" [rule] author = ["Elastic"] @@ -12,13 +12,13 @@ user eventually accepts the Okta push notification. An adversary may attempt to for an organization to obtain unauthorized access. """ event_category_override = "event.category" -index = ["filebeat-*", "logs-okta*"] +index = ["filebeat-*", "logs-okta.system*"] language = "eql" license = "Elastic License v2" -name = "Potentially Successful MFA Bombing via Push Notifications" +name = "Potentially Successful Okta MFA Bombing via Push Notifications" note = """## Triage and analysis -### Investigating Potentially Successful MFA Bombing via Push Notifications +### Investigating Potentially Successful Okta MFA Bombing via Push Notifications Multi-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access. @@ -65,23 +65,38 @@ risk_score = 73 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7" severity = "high" tags = [ + "Domain: Identity", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta", + "Data Source: Okta System Logs", "Resources: Investigation Guide", ] type = "eql" query = ''' sequence by okta.actor.id with maxspan=10m - [authentication where event.dataset == "okta.system" and event.module == "okta" - and event.action == "user.mfa.okta_verify.deny_push"] with runs=3 - [authentication where event.dataset == "okta.system" and event.module == "okta" - and (event.action : ( - "user.authentication.sso", - "user.authentication.auth_via_mfa", - "user.authentication.verify", - "user.session.start") and okta.outcome.result == "SUCCESS")] + [ any + where event.dataset == "okta.system" + and ( + okta.event_type == "user.mfa.okta_verify.deny_push" + or ( + okta.event_type == "user.authentication.auth_via_mfa" + and okta.debug_context.debug_data.factor == "OKTA_VERIFY_PUSH" + and okta.outcome.reason == "INVALID_CREDENTIALS" + ) + ) + ] with runs=5 + [ any + where event.dataset == "okta.system" + and okta.event_type in ( + "user.authentication.sso", + "user.authentication.auth_via_mfa", + "user.authentication.verify", + "user.session.start" + ) + and okta.outcome.result == "SUCCESS" + ] '''