Okta Sign-In Events via Third-Party IdP

Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/11/06"
  3integration = ["okta"]
  4maturity = "production"
  5updated_date = "2024/12/09"
  6min_stack_version = "8.15.0"
  7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP)."
 12from = "now-30m"
 13index = ["filebeat-*", "logs-okta*"]
 14interval = "15m"
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "Okta Sign-In Events via Third-Party IdP"
 18note = """## Triage and analysis
 19
 20### Investigating Okta Sign-In Events via Third-Party IdP
 21
 22This rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).
 23
 24Adversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.
 25
 26#### Possible investigation steps:
 27- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.
 28- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.
 29- If the IdP is unauthorized, deactivate it immediately via the Okta console.
 30- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.
 31    - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.
 32- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
 33- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.
 34- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.
 35- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.
 36- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.
 37
 38### False positive analysis:
 39- It might be a false positive if this IdP is authorized to be used by the tenant.
 40- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.
 41
 42### Response and remediation:
 43- If the IdP is unauthorized, deactivate it immediately via the Okta console.
 44- Reset the effected user's password and enforce MFA re-enrollment, if applicable.
 45- Mobile device forensics may be required to determine if the user's device is compromised.
 46- If the IdP is authorized, ensure that the actor who created it is authorized to do so.
 47- If the actor is unauthorized, deactivate their account via the Okta console.
 48- If the actor is authorized, ensure that the actor's account is not compromised.
 49
 50- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.
 51- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
 52- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.
 53
 54## Setup
 55
 56The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 57"""
 58references = [
 59    "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/",
 60    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
 61    "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
 62    "https://unit42.paloaltonetworks.com/muddled-libra/",
 63    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
 64    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
 65]
 66risk_score = 47
 67rule_id = "1ceb05c4-7d25-11ee-9562-f661ea17fbcd"
 68severity = "medium"
 69tags = ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"]
 70timestamp_override = "event.ingested"
 71type = "query"
 72
 73query = '''
 74event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and
 75    (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP
 76        or user.authentication.auth_via_inbound_SAML
 77        or user.authentication.auth_via_mfa
 78        or user.authentication.auth_via_social)
 79        or event.action:user.session.start) or
 80    (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE
 81        and okta.outcome.reason:("A SAML assert with the same ID has already been processed by Okta for a previous request"
 82            or "Unable to match transformed username"
 83            or "Unable to resolve IdP endpoint"
 84            or "Unable to validate SAML Response"
 85            or "Unable to validate incoming SAML Assertion"))
 86'''
 87
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1199"
 93name = "Trusted Relationship"
 94reference = "https://attack.mitre.org/techniques/T1199/"
 95
 96
 97[rule.threat.tactic]
 98id = "TA0001"
 99name = "Initial Access"
100reference = "https://attack.mitre.org/tactics/TA0001/"

Triage and analysis

Investigating Okta Sign-In Events via Third-Party IdP

This rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).

Adversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.

Possible investigation steps:

  • Identify the third-party IdP by examining the okta.authentication_context.issuer.id field.
  • Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.
  • If the IdP is unauthorized, deactivate it immediately via the Okta console.
  • Identify the actor associated with the IdP creation by examining the okta.actor.id, okta.actor.type, okta.actor.alternate_id, and okta.actor.display_name fields in historical data.
    • The New Okta Identity Provider (IdP) Added by Admin rule may be helpful in identifying the actor and the IdP creation event.
  • Determine the client used by the actor. Review the okta.client.ip, okta.client.user_agent.raw_user_agent, okta.client.zone, okta.client.device, and okta.client.id fields.
  • If the client is a device, check the okta.device.id, okta.device.name, okta.device.os_platform, okta.device.os_version, and okta.device.managed fields.
  • Review the past activities of the actor involved in this action by checking their previous actions logged in the okta.target field.
  • Examine the okta.request.ip_chain field to potentially determine if the actor used a proxy or VPN to perform this action.
  • Evaluate the actions that happened just before and after this event in the okta.event_type field to help understand the full context of the activity.

False positive analysis:

  • It might be a false positive if this IdP is authorized to be used by the tenant.
  • This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.

Response and remediation:

  • If the IdP is unauthorized, deactivate it immediately via the Okta console.

  • Reset the effected user's password and enforce MFA re-enrollment, if applicable.

  • Mobile device forensics may be required to determine if the user's device is compromised.

  • If the IdP is authorized, ensure that the actor who created it is authorized to do so.

  • If the actor is unauthorized, deactivate their account via the Okta console.

  • If the actor is authorized, ensure that the actor's account is not compromised.

  • Block the IP address or device used in the attempts if they appear suspicious, using the data from the okta.client.ip and okta.device.id fields.

  • Conduct a review of Okta policies and ensure they are in accordance with security best practices.

  • If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.

Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top