Unusual Source IP for Okta Privileged Operations Detected

  1[metadata]
  2creation_date = "2025/02/18"
  3integration = ["pad","okta"]
  4maturity = "production"
  5updated_date = "2025/02/18"
  6min_stack_version = "8.18.0"
  7min_stack_comments = "New PAD integration only available starting at 8.18.0."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has identified a user performing privileged operations in Okta from an uncommon source IP, indicating potential privileged access activity.
 14This could suggest an account compromise, misuse of administrative privileges, or an attacker leveraging a new network location to escalate privileges.
 15"""
 16from = "now-1h"
 17interval = "15m"
 18license = "Elastic License v2"
 19machine_learning_job_id = "pad_okta_rare_source_ip_by_user"
 20name = "Unusual Source IP for Okta Privileged Operations Detected"
 21references = [
 22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 23    "https://docs.elastic.co/en/integrations/pad"
 24]
 25risk_score = 21
 26rule_id = "fbb10f1e-77cb-42f9-994e-5da17fc3fc15"
 27setup = """## Setup
 28
 29The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
 30
 31### Privileged Access Detection Setup
 32The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
 33
 34#### Prerequisite Requirements:
 35- Fleet is required for Privileged Access Detection.
 36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 37- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
 38- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 39
 40#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
 41- Go to the Kibana homepage. Under Management, click Integrations.
 42- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
 43- Follow the instructions under the **Installation** section.
 44- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 45"""
 46severity = "low"
 47tags = [
 48    "Use Case: Privileged Access Detection",
 49    "Rule Type: ML",
 50    "Rule Type: Machine Learning",
 51    "Tactic: Privilege Escalation",
 52    "Resources: Investigation Guide"
 53]
 54type = "machine_learning"
 55note = """## Triage and analysis
 56
 57> **Disclaimer**:
 58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 59
 60### Investigating Unusual Source IP for Okta Privileged Operations Detected
 61
 62Okta is a widely used identity management service that controls access to applications and data. Adversaries may exploit Okta by using stolen credentials to perform privileged operations from unfamiliar IP addresses, indicating potential misuse or compromise. The detection rule leverages machine learning to identify deviations in IP usage patterns, flagging unusual access attempts that could signify privilege escalation or account compromise.
 63
 64### Possible investigation steps
 65
 66- Review the source IP address flagged by the alert to determine its geolocation and assess if it aligns with the user's typical access patterns or known locations.
 67- Check the Okta logs for the specific user account to identify any other recent activities from the same IP address or any other unusual IP addresses.
 68- Investigate the timing and nature of the privileged operations performed to determine if they align with the user's normal behavior or job responsibilities.
 69- Correlate the flagged IP address with any known threat intelligence feeds to check for any history of malicious activity associated with it.
 70- Contact the user to verify if they were aware of the access attempt and if they have recently used a new network location or VPN service.
 71- Examine any recent changes to the user's account settings or permissions that could indicate unauthorized modifications.
 72
 73### False positive analysis
 74
 75- Employees traveling or working remotely may trigger alerts due to accessing Okta from new IP addresses. To manage this, maintain a list of known IP ranges for remote work and travel, and configure exceptions for these ranges.
 76- Use of VPNs or proxy services can result in access from unfamiliar IPs. Regularly update the list of approved VPN or proxy IP addresses and exclude them from triggering alerts.
 77- Changes in corporate network infrastructure, such as new IP allocations, can cause false positives. Ensure that any changes in network configurations are communicated to the security team to update the detection rule's exceptions.
 78- Scheduled maintenance or testing activities by IT staff might appear as unusual access. Document and whitelist IP addresses used during these activities to prevent unnecessary alerts.
 79- Third-party integrations or services that access Okta on behalf of users can be mistaken for suspicious activity. Identify and whitelist these services' IP addresses to avoid false positives.
 80
 81### Response and remediation
 82
 83- Immediately isolate the affected user account by temporarily disabling it to prevent further unauthorized access.
 84- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or data access.
 85- Reset the password for the compromised account and enforce multi-factor authentication (MFA) to enhance security.
 86- Notify the security team and relevant stakeholders about the potential compromise for further investigation and monitoring.
 87- Review and update access logs to ensure all unusual IP addresses are flagged and monitored for any future access attempts.
 88- Implement network-based restrictions to block the identified unusual IP address from accessing the Okta environment.
 89- Conduct a post-incident analysis to identify the root cause and update security policies and procedures to prevent similar incidents in the future."""
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1078"
 94name = "Valid Accounts"
 95reference = "https://attack.mitre.org/techniques/T1078/"
 96
 97[rule.threat.tactic]
 98id = "TA0004"
 99name = "Privilege Escalation"
100reference = "https://attack.mitre.org/tactics/TA0004/"```