forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] Okta Credential Stuffing and Password Spraying Identificat…
…ion via Source, Device Token and Actor (elastic#3797) * adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash' * adding new rule 'Multiple Okta User Authentication Events with Client Address' * updating UUIDs * removed indexes * adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication' * added okta outcome reason 'INVALID_CREDENTIALS' to queries * updated risk score * made all rules low risk score * added user session start to rule * updated min-stack comments
- Loading branch information
1 parent
a131e02
commit da8f3e4
Showing
3 changed files
with
376 additions
and
0 deletions.
There are no files selected for viewing
125 changes: 125 additions & 0 deletions
125
...ons/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,125 @@ | ||
[metadata] | ||
creation_date = "2024/06/17" | ||
integration = ["okta"] | ||
maturity = "production" | ||
min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." | ||
min_stack_version = "8.13.0" | ||
updated_date = "2024/06/20" | ||
|
||
[rule] | ||
author = ["Elastic"] | ||
description = """ | ||
Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. | ||
""" | ||
false_positives = [ | ||
"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", | ||
"Shared systems such as Kiosks and conference room computers may be used by multiple users.", | ||
] | ||
from = "now-9m" | ||
language = "esql" | ||
license = "Elastic License v2" | ||
name = "Multiple Okta User Authentication Events with Client Address" | ||
note = """## Triage and analysis | ||
### Investigating Multiple Okta User Authentication Events with Client Address | ||
This rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack. | ||
#### Possible investigation steps: | ||
Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity. | ||
- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. | ||
- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. | ||
- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy. | ||
- If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying. | ||
- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful. | ||
- If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context. | ||
- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. | ||
- Historical analysis should indicate if this device token hash is commonly associated with the user. | ||
- Review the `okta.event_type` field to determine the type of authentication event that occurred. | ||
- If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons. | ||
- If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying. | ||
- If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API. | ||
- Examine the `okta.outcome.result` field to determine if the authentication was successful. | ||
- Review the past activities of the actor(s) involved in this action by checking their previous actions. | ||
- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. | ||
- This may help determine the authentication and authorization actions that occurred between the user, Okta and application. | ||
### False positive analysis: | ||
- A user may have legitimately started a session via a proxy for security or privacy reasons. | ||
- Users may share an endpoint related to work or personal use in which separate Okta accounts are used. | ||
- Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons. | ||
- Shared systems such as Kiosks and conference room computers may be used by multiple users. | ||
- Shared working spaces may have a single endpoint that is used by multiple users. | ||
### Response and remediation: | ||
- Review the profile of the users involved in this action to determine if proxy usage may be expected. | ||
- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required. | ||
- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA). | ||
- If MFA is already enabled, consider resetting MFA for the users. | ||
- If any of the users are not legitimate, consider deactivating the user's account. | ||
- Conduct a review of Okta policies and ensure they are in accordance with security best practices. | ||
- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. | ||
- If so, confirm with the user this was a legitimate request. | ||
- If so and this was not a legitimate request, consider deactivating the user's account temporarily. | ||
- Reset passwords and reset MFA for the user. | ||
- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule. | ||
- This will prevent future occurrences of this event for this device from triggering the rule. | ||
- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule. | ||
- This should be done with caution as it may prevent legitimate alerts from being generated. | ||
""" | ||
references = [ | ||
"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", | ||
"https://developer.okta.com/docs/reference/api/event-types/", | ||
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", | ||
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", | ||
"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" | ||
] | ||
risk_score = 21 | ||
rule_id = "94e734c0-2cda-11ef-84e1-f661ea17fbce" | ||
setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." | ||
severity = "low" | ||
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"] | ||
timestamp_override = "event.ingested" | ||
type = "esql" | ||
|
||
query = ''' | ||
FROM logs-okta* | ||
| WHERE | ||
event.dataset == "okta.system" | ||
AND (event.action == "user.session.start" OR event.action RLIKE "user\\.authentication(.*)") | ||
AND okta.outcome.reason == "INVALID_CREDENTIALS" | ||
| STATS | ||
source_auth_count = COUNT_DISTINCT(okta.actor.id) | ||
BY okta.client.ip, okta.actor.alternate_id | ||
| WHERE | ||
source_auth_count > 5 | ||
| SORT | ||
source_auth_count DESC | ||
''' | ||
|
||
[[rule.threat]] | ||
framework = "MITRE ATT&CK" | ||
[[rule.threat.technique]] | ||
id = "T1110" | ||
name = "Brute Force" | ||
reference = "https://attack.mitre.org/techniques/T1110/" | ||
|
||
[[rule.threat.technique.subtechnique]] | ||
id = "T1110.003" | ||
name = "Password Spraying" | ||
reference = "https://attack.mitre.org/techniques/T1110/003/" | ||
|
||
[[rule.threat.technique]] | ||
id = "T1110" | ||
name = "Brute Force" | ||
reference = "https://attack.mitre.org/techniques/T1110/" | ||
|
||
[[rule.threat.technique.subtechnique]] | ||
id = "T1110.004" | ||
name = "Credential Stuffing" | ||
reference = "https://attack.mitre.org/techniques/T1110/004/" | ||
|
||
[rule.threat.tactic] | ||
id = "TA0006" | ||
name = "Credential Access" | ||
reference = "https://attack.mitre.org/tactics/TA0006/" |
124 changes: 124 additions & 0 deletions
124
...ential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
[metadata] | ||
creation_date = "2024/06/17" | ||
integration = ["okta"] | ||
maturity = "production" | ||
min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." | ||
min_stack_version = "8.13.0" | ||
updated_date = "2024/06/20" | ||
|
||
[rule] | ||
author = ["Elastic"] | ||
description = """ | ||
Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. | ||
""" | ||
false_positives = [ | ||
"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", | ||
"Shared systems such as Kiosks and conference room computers may be used by multiple users.", | ||
] | ||
from = "now-9m" | ||
language = "esql" | ||
license = "Elastic License v2" | ||
name = "Multiple Okta User Authentication Events with Same Device Token Hash" | ||
note = """## Triage and analysis | ||
### Investigating Multiple Okta User Authentication Events with Same Device Token Hash | ||
This rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack. | ||
#### Possible investigation steps: | ||
- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity. | ||
- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. | ||
- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. | ||
- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy. | ||
- If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying. | ||
- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful. | ||
- If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context. | ||
- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. | ||
- Historical analysis should indicate if this device token hash is commonly associated with the user. | ||
- Review the `okta.event_type` field to determine the type of authentication event that occurred. | ||
- If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons. | ||
- If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying. | ||
- Examine the `okta.outcome.result` field to determine if the authentication was successful. | ||
- Review the past activities of the actor(s) involved in this action by checking their previous actions. | ||
- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. | ||
- This may help determine the authentication and authorization actions that occurred between the user, Okta and application. | ||
### False positive analysis: | ||
- A user may have legitimately started a session via a proxy for security or privacy reasons. | ||
- Users may share an endpoint related to work or personal use in which separate Okta accounts are used. | ||
- Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons. | ||
- Shared systems such as Kiosks and conference room computers may be used by multiple users. | ||
- Shared working spaces may have a single endpoint that is used by multiple users. | ||
### Response and remediation: | ||
- Review the profile of the users involved in this action to determine if proxy usage may be expected. | ||
- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required. | ||
- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA). | ||
- If MFA is already enabled, consider resetting MFA for the users. | ||
- If any of the users are not legitimate, consider deactivating the user's account. | ||
- Conduct a review of Okta policies and ensure they are in accordance with security best practices. | ||
- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. | ||
- If so, confirm with the user this was a legitimate request. | ||
- If so and this was not a legitimate request, consider deactivating the user's account temporarily. | ||
- Reset passwords and reset MFA for the user. | ||
- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule. | ||
- This will prevent future occurrences of this event for this device from triggering the rule. | ||
""" | ||
references = [ | ||
"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", | ||
"https://developer.okta.com/docs/reference/api/event-types/", | ||
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", | ||
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", | ||
"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" | ||
] | ||
risk_score = 21 | ||
rule_id = "95b99adc-2cda-11ef-84e1-f661ea17fbce" | ||
setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." | ||
severity = "low" | ||
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"] | ||
timestamp_override = "event.ingested" | ||
type = "esql" | ||
|
||
query = ''' | ||
FROM logs-okta* | ||
| WHERE | ||
event.dataset == "okta.system" | ||
AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start") | ||
AND okta.debug_context.debug_data.dt_hash != "-" | ||
AND okta.outcome.reason == "INVALID_CREDENTIALS" | ||
| STATS | ||
target_auth_count = COUNT_DISTINCT(okta.actor.id) | ||
BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id | ||
| WHERE | ||
target_auth_count > 20 | ||
| SORT | ||
target_auth_count DESC | ||
''' | ||
|
||
|
||
[[rule.threat]] | ||
framework = "MITRE ATT&CK" | ||
[[rule.threat.technique]] | ||
id = "T1110" | ||
name = "Brute Force" | ||
reference = "https://attack.mitre.org/techniques/T1110/" | ||
|
||
[[rule.threat.technique.subtechnique]] | ||
id = "T1110.003" | ||
name = "Password Spraying" | ||
reference = "https://attack.mitre.org/techniques/T1110/003/" | ||
|
||
[[rule.threat.technique]] | ||
id = "T1110" | ||
name = "Brute Force" | ||
reference = "https://attack.mitre.org/techniques/T1110/" | ||
|
||
[[rule.threat.technique.subtechnique]] | ||
id = "T1110.004" | ||
name = "Credential Stuffing" | ||
reference = "https://attack.mitre.org/techniques/T1110/004/" | ||
|
||
[rule.threat.tactic] | ||
id = "TA0006" | ||
name = "Credential Access" | ||
reference = "https://attack.mitre.org/tactics/TA0006/" |
Oops, something went wrong.