Okta Brute Force or Password Spraying Attack

 1[metadata]
 2creation_date = "2020/07/16"
 3integration = ["okta"]
 4maturity = "production"
 5min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
 6min_stack_version = "8.10.0"
 7updated_date = "2024/01/05"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative
13of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to
14obtain unauthorized access to user accounts.
15"""
16false_positives = [
17    """
18    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
19    positives.
20    """,
21]
22index = ["filebeat-*", "logs-okta*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Okta Brute Force or Password Spraying Attack"
26note = """## Triage and analysis
27
28### Investigating Okta Brute Force or Password Spraying Attack
29
30This rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.
31
32#### Possible investigation steps:
33
34- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.
35- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.
36- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.
37- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?
38- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?
39- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?
40
41### False positive analysis:
42
43- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.
44- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.
45
46### Response and remediation:
47
48- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.
49- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.
50- Enhance monitoring on the affected user accounts for any suspicious activity.
51- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.
52- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.
53- Review and update your security policies based on the findings from the incident.
54
55## Setup
56
57The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
58references = [
59    "https://developer.okta.com/docs/reference/api/system-log/",
60    "https://developer.okta.com/docs/reference/api/event-types/",
61    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
62]
63risk_score = 47
64rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0"
65severity = "medium"
66tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
67type = "threshold"
68timestamp_override = "event.ingested"
69
70query = '''
71event.dataset:okta.system and event.category:authentication and event.outcome:failure
72'''
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1110"
79name = "Brute Force"
80reference = "https://attack.mitre.org/techniques/T1110/"
81
82
83[rule.threat.tactic]
84id = "TA0006"
85name = "Credential Access"
86reference = "https://attack.mitre.org/tactics/TA0006/"
87
88[rule.threshold]
89field = ["source.ip"]
90value = 25