/
credential_access_okta_brute_force_or_password_spraying.toml
91 lines (73 loc) · 4.02 KB
/
credential_access_okta_brute_force_or_password_spraying.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
[metadata]
creation_date = "2020/07/16"
integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2024/01/05"
[rule]
author = ["Elastic"]
description = """
Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative
of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to
obtain unauthorized access to user accounts.
"""
false_positives = [
"""
Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
positives.
""",
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Okta Brute Force or Password Spraying Attack"
note = """## Triage and analysis
### Investigating Okta Brute Force or Password Spraying Attack
This rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.
#### Possible investigation steps:
- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.
- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.
- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.
- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?
- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?
- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?
### False positive analysis:
- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.
- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.
### Response and remediation:
- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.
- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.
- Enhance monitoring on the affected user accounts for any suspicious activity.
- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.
- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.
- Review and update your security policies based on the findings from the incident.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
]
risk_score = 47
rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
type = "threshold"
timestamp_override = "event.ingested"
query = '''
event.dataset:okta.system and event.category:authentication and event.outcome:failure
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.threshold]
field = ["source.ip"]
value = 25