1712102080, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Okta Account Takeover", annotations._all="T1586.003", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712102075.422388000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1098", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Okta Account Takeover", annotations._all="Installation", annotations._all="T1098.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712102021.799147000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712101993.406183000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712101993.406183000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712101993.406183000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="T1078", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712101963.907248000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="T1078", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712101963.907248000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="T1078", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712101963.907248000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="T1078", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712101963.907248000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="T1078", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712101963.907248000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="T1078", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712101963.907248000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="T1078", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712101963.907248000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="T1078", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712101200.000000000", info_min_time="1699070400.000000000", info_search_time="1712101963.907248000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712101780, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="T1586.003", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101775.672181000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1098.005", annotations._all="CIS 10", annotations._all="T1098", annotations._all="Installation", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101722.017272000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="T1087.004", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Okta Account Takeover", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101693.622022000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="T1087.004", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Okta Account Takeover", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101693.622022000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="T1087.004", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Okta Account Takeover", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101693.622022000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._all="T1586", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1078", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101664.035013000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._all="T1586", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1078", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101664.035013000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._all="T1586", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1078", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101664.035013000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._all="T1586", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1078", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101664.035013000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._all="T1586", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1078", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101664.035013000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._all="T1586", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1078", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101664.035013000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._all="T1586", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1078", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101664.035013000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._all="T1586", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1078", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712100900.000000000", info_min_time="1699070400.000000000", info_search_time="1712101664.035013000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712101480, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101476.148869000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Okta Account Takeover", annotations._all="T1098", annotations._all="DE.CM", annotations._all="T1098.005", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101422.197633000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101393.912160000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101393.912160000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="Exploitation", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101393.912160000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Installation", annotations._all="Weaponization", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101363.777996000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Installation", annotations._all="Weaponization", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101363.777996000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Installation", annotations._all="Weaponization", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101363.777996000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Installation", annotations._all="Weaponization", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101363.777996000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Installation", annotations._all="Weaponization", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101363.777996000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Installation", annotations._all="Weaponization", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101363.777996000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Installation", annotations._all="Weaponization", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101363.777996000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Installation", annotations._all="Weaponization", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712100600.000000000", info_min_time="1699070400.000000000", info_search_time="1712101363.777996000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712101180, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="DE.AE", annotations._all="Okta Account Takeover", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101176.103255000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1098", annotations._all="Exploitation", annotations._all="Okta Account Takeover", annotations._all="CIS 10", annotations._all="T1098.005", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101121.416483000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Okta Account Takeover", annotations._all="CIS 10", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101094.050756000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Okta Account Takeover", annotations._all="CIS 10", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101094.050756000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Okta Account Takeover", annotations._all="CIS 10", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101094.050756000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1586", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101064.546769000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1586", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101064.546769000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1586", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101064.546769000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1586", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101064.546769000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1586", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101064.546769000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1586", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101064.546769000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1586", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101064.546769000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1586", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712100300.000000000", info_min_time="1699070400.000000000", info_search_time="1712101064.546769000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712100880, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="Okta Account Takeover", annotations._all="CIS 10", annotations._all="T1586.003", annotations._all="Weaponization", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100875.996146000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="T1098.005", annotations._all="Okta Account Takeover", annotations._all="T1098", annotations._all="Exploitation", annotations._all="Installation", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100822.337128000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Okta Account Takeover", annotations._all="T1087.004", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100793.900508000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Okta Account Takeover", annotations._all="T1087.004", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100793.900508000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Okta Account Takeover", annotations._all="T1087.004", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100793.900508000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100764.092008000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100764.092008000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100764.092008000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100764.092008000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100764.092008000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100764.092008000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100764.092008000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="Okta Account Takeover", annotations._all="T1586", annotations._all="T1078", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="CIS 10", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712100000.000000000", info_min_time="1699070400.000000000", info_search_time="1712100764.092008000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712100581, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="Okta Account Takeover", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="T1586.003", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100575.900804000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1098.005", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="T1098", annotations._all="Okta Account Takeover", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100522.390214000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="T1087.004", annotations._all="Suspicious Okta Activity", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100497.689149000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="T1087.004", annotations._all="Suspicious Okta Activity", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100497.689149000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="T1087.004", annotations._all="Suspicious Okta Activity", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100497.689149000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1621", annotations._all="Delivery", annotations._all="Installation", annotations._all="T1078.004", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100465.275873000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1621", annotations._all="Delivery", annotations._all="Installation", annotations._all="T1078.004", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100465.275873000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1621", annotations._all="Delivery", annotations._all="Installation", annotations._all="T1078.004", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100465.275873000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1621", annotations._all="Delivery", annotations._all="Installation", annotations._all="T1078.004", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100465.275873000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1621", annotations._all="Delivery", annotations._all="Installation", annotations._all="T1078.004", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100465.275873000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1621", annotations._all="Delivery", annotations._all="Installation", annotations._all="T1078.004", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100465.275873000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1621", annotations._all="Delivery", annotations._all="Installation", annotations._all="T1078.004", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100465.275873000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1621", annotations._all="Delivery", annotations._all="Installation", annotations._all="T1078.004", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712099700.000000000", info_min_time="1699070400.000000000", info_search_time="1712100465.275873000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712100280, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._all="T1586.003", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100276.023823000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Okta Account Takeover", annotations._all="T1098.005", annotations._all="Exploitation", annotations._all="T1098", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100221.568076000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100193.305149000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100193.305149000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100193.305149000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1078.004", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Installation", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100163.876136000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1078.004", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Installation", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100163.876136000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1078.004", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Installation", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100163.876136000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1078.004", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Installation", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100163.876136000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1078.004", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Installation", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100163.876136000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1078.004", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Installation", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100163.876136000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1078.004", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Installation", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100163.876136000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1621", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1078.004", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Installation", annotations._all="T1078", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712099400.000000000", info_min_time="1699070400.000000000", info_search_time="1712100163.876136000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712099980, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="T1586.003", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099975.541698000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="T1098", annotations._all="Okta Account Takeover", annotations._all="T1098.005", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099922.172621000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="T1087.004", annotations._all="Exploitation", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099893.819184000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="T1087.004", annotations._all="Exploitation", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099893.819184000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="T1087.004", annotations._all="Exploitation", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099893.819184000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586.003", annotations._all="T1078.004", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099864.526900000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586.003", annotations._all="T1078.004", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099864.526900000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586.003", annotations._all="T1078.004", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099864.526900000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586.003", annotations._all="T1078.004", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099864.526900000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586.003", annotations._all="T1078.004", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099864.526900000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586.003", annotations._all="T1078.004", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099864.526900000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586.003", annotations._all="T1078.004", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099864.526900000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Exploitation", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586.003", annotations._all="T1078.004", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712099100.000000000", info_min_time="1699070400.000000000", info_search_time="1712099864.526900000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712099680, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="DE.AE", annotations._all="Suspicious Okta Activity", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099676.193888000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Installation", annotations._all="CIS 10", annotations._all="T1098", annotations._all="Exploitation", annotations._all="T1098.005", annotations._all="Okta Account Takeover", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099621.674085000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099593.303462000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099593.303462000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099593.303462000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="T1621", annotations._all="T1586", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099563.916515000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="T1621", annotations._all="T1586", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099563.916515000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="T1621", annotations._all="T1586", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099563.916515000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="T1621", annotations._all="T1586", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099563.916515000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="T1621", annotations._all="T1586", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099563.916515000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="T1621", annotations._all="T1586", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099563.916515000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="T1621", annotations._all="T1586", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099563.916515000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="T1621", annotations._all="T1586", annotations._all="T1586.003", annotations._all="Delivery", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712098800.000000000", info_min_time="1699070400.000000000", info_search_time="1712099563.916515000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712099380, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="T1586.003", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099376.196645000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1098.005", annotations._all="Okta Account Takeover", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="Installation", annotations._all="T1098", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099321.804434000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099293.416798000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099293.416798000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099293.416798000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="T1586", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099264.302663000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="T1586", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099264.302663000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="T1586", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099264.302663000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="T1586", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099264.302663000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="T1586", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099264.302663000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="T1586", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099264.302663000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="T1586", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099264.302663000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078.004", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="T1586", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712098500.000000000", info_min_time="1699070400.000000000", info_search_time="1712099264.302663000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712099080, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Weaponization", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712099075.736521000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1098.005", annotations._all="Exploitation", annotations._all="T1098", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Installation", annotations._all="Okta Account Takeover", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712099021.642247000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712098993.305128000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712098993.305128000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712098993.305128000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712098964.030791000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712098964.030791000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712098964.030791000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712098964.030791000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712098964.030791000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712098964.030791000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712098964.030791000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="DE.CM", annotations._all="Delivery", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1078.004", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1586.003", annotations._all="T1621", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712098200.000000000", info_min_time="1699070400.000000000", info_search_time="1712098964.030791000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712098780, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098775.393069000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Exploitation", annotations._all="Okta Account Takeover", annotations._all="T1098", annotations._all="DE.CM", annotations._all="T1098.005", annotations._all="CIS 10", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098721.820253000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098693.568684000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098693.568684000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098693.568684000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078", annotations._all="T1586", annotations._all="Exploitation", annotations._all="Installation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="T1621", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098664.330957000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078", annotations._all="T1586", annotations._all="Exploitation", annotations._all="Installation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="T1621", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098664.330957000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078", annotations._all="T1586", annotations._all="Exploitation", annotations._all="Installation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="T1621", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098664.330957000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078", annotations._all="T1586", annotations._all="Exploitation", annotations._all="Installation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="T1621", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098664.330957000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078", annotations._all="T1586", annotations._all="Exploitation", annotations._all="Installation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="T1621", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098664.330957000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078", annotations._all="T1586", annotations._all="Exploitation", annotations._all="Installation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="T1621", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098664.330957000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078", annotations._all="T1586", annotations._all="Exploitation", annotations._all="Installation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="T1621", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098664.330957000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078", annotations._all="T1586", annotations._all="Exploitation", annotations._all="Installation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="T1621", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712097900.000000000", info_min_time="1699070400.000000000", info_search_time="1712098664.330957000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712098479, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._all="T1586.003", annotations._all="CIS 10", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098475.443112000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1098", annotations._all="T1098.005", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="Installation", annotations._all="Okta Account Takeover", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098421.987264000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098393.611124000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098393.611124000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098393.611124000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="Installation", annotations._all="T1621", annotations._all="T1078.004", annotations._all="T1078", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098364.376311000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="Installation", annotations._all="T1621", annotations._all="T1078.004", annotations._all="T1078", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098364.376311000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="Installation", annotations._all="T1621", annotations._all="T1078.004", annotations._all="T1078", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098364.376311000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="Installation", annotations._all="T1621", annotations._all="T1078.004", annotations._all="T1078", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098364.376311000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="Installation", annotations._all="T1621", annotations._all="T1078.004", annotations._all="T1078", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098364.376311000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="Installation", annotations._all="T1621", annotations._all="T1078.004", annotations._all="T1078", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098364.376311000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="Installation", annotations._all="T1621", annotations._all="T1078.004", annotations._all="T1078", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098364.376311000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="T1586", annotations._all="Weaponization", annotations._all="Delivery", annotations._all="Suspicious Okta Activity", annotations._all="Installation", annotations._all="T1621", annotations._all="T1078.004", annotations._all="T1078", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712097600.000000000", info_min_time="1699070400.000000000", info_search_time="1712098364.376311000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712098180, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="DE.AE", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098175.645723000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1098", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="T1098.005", annotations._all="Okta Account Takeover", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098122.174892000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="DE.AE", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098093.928825000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="DE.AE", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098093.928825000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="Exploitation", annotations._all="DE.AE", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098093.928825000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="Suspicious Okta Activity", annotations._all="T1078.004", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098063.868395000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="Suspicious Okta Activity", annotations._all="T1078.004", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098063.868395000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="Suspicious Okta Activity", annotations._all="T1078.004", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098063.868395000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="Suspicious Okta Activity", annotations._all="T1078.004", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098063.868395000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="Suspicious Okta Activity", annotations._all="T1078.004", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098063.868395000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="Suspicious Okta Activity", annotations._all="T1078.004", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098063.868395000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="Suspicious Okta Activity", annotations._all="T1078.004", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098063.868395000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Delivery", annotations._all="T1586.003", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="Suspicious Okta Activity", annotations._all="T1078.004", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1078", annotations._all="T1621", annotations._all="Installation", annotations._all="T1586", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712097300.000000000", info_min_time="1699070400.000000000", info_search_time="1712098063.868395000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712097881, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="T1586.003", annotations._all="DE.AE", annotations._all="Suspicious Okta Activity", annotations._all="Weaponization", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097875.744439000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="T1098", annotations._all="Okta Account Takeover", annotations._all="CIS 10", annotations._all="T1098.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097822.239498000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="T1087.004", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097793.890833000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="T1087.004", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097793.890833000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="T1087.004", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097793.890833000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097763.641442000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097763.641442000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097763.641442000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097763.641442000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097763.641442000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097763.641442000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097763.641442000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Weaponization", annotations._all="T1586.003", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Delivery", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="T1078", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1078.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712097000.000000000", info_min_time="1699070400.000000000", info_search_time="1712097763.641442000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712097580, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="Weaponization", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Suspicious Okta Activity", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097576.187476000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1098.005", annotations._all="T1098", annotations._all="Installation", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="Okta Account Takeover", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097521.583342000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Suspicious Okta Activity", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097494.254997000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Suspicious Okta Activity", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097494.254997000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1087.004", annotations._all="DE.AE", annotations._all="Suspicious Okta Activity", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097494.254997000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1621", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097463.745422000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1621", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097463.745422000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1621", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097463.745422000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1621", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097463.745422000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1621", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097463.745422000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1621", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097463.745422000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1621", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097463.745422000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="Suspicious Okta Activity", annotations._all="T1586", annotations._all="T1078.004", annotations._all="Delivery", annotations._all="CIS 10", annotations._all="T1621", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="Weaponization", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712096700.000000000", info_min_time="1699070400.000000000", info_search_time="1712097463.745422000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712097279, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="T1586.003", annotations._all="Weaponization", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097275.803922000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="Installation", annotations._all="T1098", annotations._all="CIS 10", annotations._all="Okta Account Takeover", annotations._all="T1098.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097221.437044000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Suspicious Okta Activity", annotations._all="T1087.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097193.986957000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Suspicious Okta Activity", annotations._all="T1087.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097193.986957000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Suspicious Okta Activity", annotations._all="T1087.004", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097193.986957000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097164.321013000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097164.321013000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097164.321013000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097164.321013000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097164.321013000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097164.321013000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097164.321013000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1078.004", annotations._all="Exploitation", annotations._all="T1621", annotations._all="DE.CM", annotations._all="Weaponization", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1586", annotations._all="T1586.003", annotations._all="T1078", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712096400.000000000", info_min_time="1699070400.000000000", info_search_time="1712097164.321013000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712096980, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="Suspicious Okta Activity", annotations._all="T1586.003", annotations._all="CIS 10", annotations._all="Weaponization", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096976.137625000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1098", annotations._all="Okta Account Takeover", annotations._all="CIS 10", annotations._all="Installation", annotations._all="T1098.005", annotations._all="Exploitation", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096921.716276000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096893.478941000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096893.478941000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="DE.AE", annotations._all="T1087.004", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096893.478941000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="T1078.004", annotations._all="T1586", annotations._all="Installation", annotations._all="T1586.003", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="T1621", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096864.250665000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="T1078.004", annotations._all="T1586", annotations._all="Installation", annotations._all="T1586.003", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="T1621", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096864.250665000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="T1078.004", annotations._all="T1586", annotations._all="Installation", annotations._all="T1586.003", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="T1621", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096864.250665000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="T1078.004", annotations._all="T1586", annotations._all="Installation", annotations._all="T1586.003", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="T1621", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096864.250665000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="T1078.004", annotations._all="T1586", annotations._all="Installation", annotations._all="T1586.003", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="T1621", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096864.250665000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="T1078.004", annotations._all="T1586", annotations._all="Installation", annotations._all="T1586.003", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="T1621", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096864.250665000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="T1078.004", annotations._all="T1586", annotations._all="Installation", annotations._all="T1586.003", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="T1621", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096864.250665000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1078", annotations._all="T1078.004", annotations._all="T1586", annotations._all="Installation", annotations._all="T1586.003", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="Suspicious Okta Activity", annotations._all="T1621", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="Delivery", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712096100.000000000", info_min_time="1699070400.000000000", info_search_time="1712096864.250665000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1712096680, search_name="ESCU - Okta User Logins from Multiple Cities - DM - Rule", City="", City="Frankfurt am Main", City="New York", Country="Germany", Country="United States", action="failure", action="success", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Weaponization\"], \"mitre_attack\": [\"T1586.003\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="Weaponization", annotations._all="Suspicious Okta Activity", annotations._all="CIS 10", annotations._all="T1586.003", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.mitre_attack="T1586.003", annotations.nist="DE.AE", count="9", distinct_city="3", distinct_src="5", firstTime="1701406800", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096676.148788000", lastTime="1709269200", risk_message="A user [victim_user@acme.com] has logged in from multiple cities [
Frankfurt am Main
New York] from IP Address - [18.185.207.118 23.93.195.223 23.93.210.147 23.93.213.13 72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects logins from the same user from different cities in a 24 hour period.  This could be an indication of a compromised account.", src="18.185.207.118", src="23.93.195.223", src="23.93.210.147", src="23.93.213.13", src="72.43.121.43", threat_object="18.185.207.118", threat_object="23.93.195.223", threat_object="23.93.210.147", threat_object="23.93.213.13", threat_object="72.43.121.43", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", threat_object_type="ip_address", user="victim_user@acme.com"
1709247000, search_name="ESCU - Okta New Device Enrolled on Account - Rule", orig_time="1709247000", action="created", analyticstories="Okta Account Takeover", annotations="{\"analytic_story\": [\"Okta Account Takeover\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 40, \"kill_chain_phases\": [\"Installation\", \"Exploitation\"], \"mitre_attack\": [\"T1098\", \"T1098.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1098", annotations._all="Exploitation", annotations._all="Installation", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Okta Account Takeover", annotations._all="T1098.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Okta Account Takeover", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1098", annotations.mitre_attack="T1098.005", annotations.nist="DE.CM", command="device.enrollment.create", count="1", firstTime="2024-02-29T17:52:54", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096621.642123000", lastTime="2024-02-29T17:52:54", object_category="UDDevice", result="Enroll new device", risk_message="victim_user@acme.com has added a new device to their account.", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="24.0", savedsearch_description="The following analytic will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", orig_sourcetype="OktaIM2:log", src="23.93.210.147", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096594.217403000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096594.217403000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Unauthorized Access to Application - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 90, \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1087.004\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Suspicious Okta Activity", annotations._all="DE.AE", annotations._all="Exploitation", annotations._all="T1087.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1087.004", annotations.nist="DE.AE", app="Okta Admin Console", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096594.217403000", lat="37.75100", lon="-97.82200", reason="User attempted unauthorized access to app", risk_message="A user [victim_user@acme.com] is attempting to access an unautorized application from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="81.0", savedsearch_description="This search detects when a user is trying to access an okta application that is not assigned to the user. This unauthorized access to applications represents a significant security risk, as it can lead to the exposure of sensitive information, disruption of services, and potential breaches of data protection laws. Ensuring that only authorized users can access applications is a fundamental aspect of maintaining a secure and compliant IT environment.", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1078", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="13", dest="dev-64597797.okta.com", firstTime="2024-03-04T15:28:40", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096563.805356000", lastTime="2024-03-20T20:55:02", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1709269200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1709269200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1078", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="4", dest="dev-64597797.okta.com", firstTime="2024-03-11T16:11:45", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096563.805356000", lastTime="2024-03-11T16:13:46", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="New York", Country="United States", Region="New York", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1078", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-02-28T14:10:15", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096563.805356000", lastTime="2024-02-28T14:10:15", lat="40.76520", lon="-73.95880", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [72.43.121.43]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="72.43.121.43", threat_object="72.43.121.43", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1078", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="7", dest="dev-64597797.okta.com", firstTime="2024-02-29T17:57:42", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096563.805356000", lastTime="2024-02-29T18:29:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1706763600, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", City="Frankfurt am Main", Country="Germany", Region="Hesse", orig_time="1706763600", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1078", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="3", dest="dev-64597797.okta.com", firstTime="2024-02-29T16:24:48", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096563.805356000", lastTime="2024-02-29T16:25:35", lat="50.11880", lon="8.68430", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [18.185.207.118]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="18.185.207.118", threat_object="18.185.207.118", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1078", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-23T14:29:45", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096563.805356000", lastTime="2024-01-23T14:29:45", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.210.147]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.210.147", threat_object="23.93.210.147", threat_object_type="ip_address", user="victim_user@acme.com"
1704085200, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1704085200", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1078", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2024-01-12T15:02:39", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096563.805356000", lastTime="2024-01-12T15:02:39", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.195.223]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.195.223", threat_object="23.93.195.223", threat_object_type="ip_address", user="victim_user@acme.com"
1701406800, search_name="ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule", Country="United States", orig_time="1701406800", action="failure", analyticstories="Suspicious Okta Activity", annotations="{\"analytic_story\": [\"Suspicious Okta Activity\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 80, \"kill_chain_phases\": [\"Weaponization\", \"Exploitation\", \"Delivery\", \"Installation\"], \"mitre_attack\": [\"T1586\", \"T1586.003\", \"T1078\", \"T1078.004\", \"T1621\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1586.003", annotations._all="Installation", annotations._all="Exploitation", annotations._all="T1078", annotations._all="CIS 10", annotations._all="Weaponization", annotations._all="T1621", annotations._all="DE.CM", annotations._all="T1586", annotations._all="Suspicious Okta Activity", annotations._all="Delivery", annotations._all="T1078.004", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Okta Activity", annotations.cis20="CIS 10", annotations.kill_chain_phases="Weaponization", annotations.kill_chain_phases="Exploitation", annotations.kill_chain_phases="Delivery", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1586", annotations.mitre_attack="T1586.003", annotations.mitre_attack="T1078", annotations.mitre_attack="T1078.004", annotations.mitre_attack="T1621", annotations.nist="DE.CM", app="Okta Identity Cloud", count="1", dest="dev-64597797.okta.com", firstTime="2023-12-14T20:34:00", info_max_time="1712095800.000000000", info_min_time="1699070400.000000000", info_search_time="1712096563.805356000", lastTime="2023-12-14T20:34:00", lat="37.75100", lon="-97.82200", reason="INVALID_CREDENTIALS", risk_message="A user [victim_user@acme.com] has failed to authenticate via MFA from IP Address - [23.93.213.13]\"", risk_object="victim_user@acme.com", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", signature="user.authentication.auth_via_mfa", src="23.93.213.13", threat_object="23.93.213.13", threat_object_type="ip_address", user="victim_user@acme.com"