Eric Forte
35 lines
1.4 KiB
TOML
35 lines
1.4 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
description = """
|
|
This hunting query identifies MFA bombing attacks in Okta. Adversaries may attempt to flood a user with multiple MFA push notifications to disrupt operations or gain unauthorized access to accounts. This query identifies when a user has more than 5 MFA deny push notifications in a 10 minute window.
|
|
"""
|
|
integration = ["okta"]
|
|
uuid = "223451b0-6eca-11ef-a070-f661ea17fbcc"
|
|
name = "Rapid MFA Deny Push Notifications (MFA Bombing)"
|
|
language = ["ES|QL"]
|
|
license = "Elastic License v2"
|
|
notes = [
|
|
"`okta.actor.alternate_id` is the targeted user account.",
|
|
"Pivot and search for `event.action` is `user.authentication.auth_via_mfa` to determine if the target user accepted the MFA push notification.",
|
|
"If a MFA bombing attack is suspected, both username and password are required prior to MFA push notifications. Thus the credentials are likely compromised.",
|
|
]
|
|
mitre = ['T1621']
|
|
query = [
|
|
"""
|
|
from logs-okta*
|
|
| where @timestamp > NOW() - 7 day
|
|
|
|
// Truncate the timestamp to 10 minute windows
|
|
| eval target_time_window = DATE_TRUNC(10 minutes, @timestamp)
|
|
|
|
// Filter for MFA deny push notifications
|
|
| where event.action == "user.mfa.okta_verify.deny_push"
|
|
|
|
// Count the number of MFA deny push notifications for each user in each 10 minute window
|
|
| stats deny_push_count = count(*) by target_time_window, okta.actor.alternate_id
|
|
|
|
// Filter for users with more than 5 MFA deny push notifications
|
|
| where deny_push_count >= 5
|
|
"""
|
|
]
|