[Rule Tuning] Adjust Attempt to Deactivate MFA for an Okta User Account Okta Rule (#3345)
* tuning 'MFA Deactivation with no Re-Activation for Okta User Account'
* adjusted query to include like function
(cherry picked from commit 203c228249)
This commit is contained in:
Terrance DeJesus
committed by
github-actions[bot]
github-actions[bot]
parent
dae8e76cd4
commit
89188034ce
-57
@@ -1,57 +0,0 @@
|
||||
[metadata]
|
||||
creation_date = "2020/05/20"
|
||||
integration = ["okta"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
|
||||
min_stack_version = "8.10.0"
|
||||
updated_date = "2023/10/24"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for
|
||||
an Okta user account in order to weaken the authentication requirements for the account.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to
|
||||
filter false positives.
|
||||
""",
|
||||
]
|
||||
index = ["filebeat-*", "logs-okta*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Attempt to Deactivate MFA for an Okta User Account"
|
||||
note = """## Setup
|
||||
|
||||
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
||||
references = [
|
||||
"https://developer.okta.com/docs/reference/api/system-log/",
|
||||
"https://developer.okta.com/docs/reference/api/event-types/",
|
||||
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8"
|
||||
severity = "low"
|
||||
tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:okta.system and event.action:user.mfa.factor.deactivate
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
@@ -0,0 +1,95 @@
|
||||
[metadata]
|
||||
creation_date = "2020/05/20"
|
||||
integration = ["okta"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
|
||||
min_stack_version = "8.10.0"
|
||||
updated_date = "2023/12/16"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An
|
||||
adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the
|
||||
account.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to
|
||||
filter false positives.
|
||||
""",
|
||||
]
|
||||
from = "now-12h"
|
||||
index = ["filebeat-*", "logs-okta.system*"]
|
||||
interval = "6h"
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "MFA Deactivation with no Re-Activation for Okta User Account"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating MFA Deactivation with no Re-Activation for Okta User Account
|
||||
|
||||
MFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.
|
||||
|
||||
This rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.
|
||||
|
||||
#### Possible investigation steps:
|
||||
|
||||
- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.
|
||||
- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.
|
||||
- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.
|
||||
- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.
|
||||
- Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.
|
||||
|
||||
#### False positive steps:
|
||||
|
||||
- Determine with the target user if MFA deactivation was expected.
|
||||
- Determine if MFA is required for the target user account.
|
||||
|
||||
#### Response and remediation:
|
||||
|
||||
- If the MFA deactivation was not expected, consider deactivating the user
|
||||
- This should be followed by resetting the user's password and re-enabling MFA.
|
||||
- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.
|
||||
- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.
|
||||
- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.
|
||||
- Check if the compromised account was used to access or alter any sensitive data, applications or systems.
|
||||
"""
|
||||
references = [
|
||||
"https://developer.okta.com/docs/reference/api/system-log/",
|
||||
"https://developer.okta.com/docs/reference/api/event-types/",
|
||||
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8"
|
||||
setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n"
|
||||
severity = "low"
|
||||
tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Domain: Cloud"]
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
sequence by okta.actor.id with maxspan=12h
|
||||
[any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.deactivate"
|
||||
and okta.outcome.result == "SUCCESS" and not okta.client.user_agent.raw_user_agent like "SFDC-Callout*"]
|
||||
![any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.activate"]
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1556"
|
||||
name = "Modify Authentication Process"
|
||||
reference = "https://attack.mitre.org/techniques/T1556/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1556.006"
|
||||
name = "Multi-Factor Authentication"
|
||||
reference = "https://attack.mitre.org/techniques/T1556/006/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
Reference in New Issue
Block a user