/
okta_user_logins_from_multiple_cities.yml
60 lines (60 loc) · 2.87 KB
/
okta_user_logins_from_multiple_cities.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: Okta User Logins from Multiple Cities
id: a3d1df37-c2a9-41d0-aa8f-59f82d6192a8
version: 1
date: '2024-03-07'
author: 'Bhavin Patel, Splunk'
data_source: []
type: Anomaly
status: production
description: This search identifies instances where the same user logs in from different cities within a 24-hour period, potentially indicating a compromised account. Such behavior may be indicative of an attacker attempting to gain unauthorized access to an Okta account from multiple locations. Investigating and responding to such incidents promptly is crucial to prevent account takeovers and data breaches.
search: '| tstats `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.session.start by _time Authentication.src
| `drop_dm_object_name("Authentication")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| iplocation src
| stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action by user
| where distinct_city > 1 | `okta_user_logins_from_multiple_cities_filter`'
how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
known_false_positives: It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.
references:
- https://attack.mitre.org/techniques/T1110/003/
tags:
analytic_story:
- Okta Account Takeover
asset_type: Okta Tenant
confidence: 90
impact: 90
message: A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized.
mitre_attack_id:
- T1586.003
observable:
- name: src
type: IP Address
role:
- Attacker
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Authentication.app
- Authentication.action
- Authentication.user
- Authentication.reason
- Authentication.dest
- Authentication.signature
- Authentication.method
- Authentication.src
risk_score: 81
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.log
source: Okta
sourcetype: OktaIM2:log