{
    "componentChunkName": "component---src-templates-blog-blog-list-template-blog-list-template-js",
    "path": "/articles/6",
    "result": {"data":{"allContentfulSecOktaComBlogPost":{"nodes":[{"updatedAt":"2024-06-07T03:39:23.677Z","slug":"/harfiles","node_locale":"en","date":"2024-02-08T12:34:22+00:00","secAuthor":[{"name":"David Bradbury","slug":"david-bradbury","jobTitle":"Chief Security Officer","id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"<p>David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies. </p>\n\n<p>Prior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs. </p>\n\n<p>Bradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=15&h=23&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=29&h=44&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=116&h=174&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=15&h=23&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=29&h=44&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=116&h=174&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#e8e8d8","width":58,"height":87}}}],"title":"Okta October 2023 Security Incident Investigation Closure","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Related Posts: \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/october-security-incident-recommended-actions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recommended Actions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - Nov 29, 2023 / \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Root Cause Analysis [RCA]\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - Nov 3, 2023 / \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Incident\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - Oct 20, 2023\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Stroz Friedberg, a leading cybersecurity forensics firm engaged by Okta, has concluded its independent investigation of the October 2023 security incident. The conclusions of Okta’s investigation have not changed, and Stroz Friedberg has confirmed there is no evidence of further malicious activity beyond what was previously determined by Okta. The October 2023 security incident forensic report is now available to our customers and partners. While this completes Okta’s investigation of this incident, putting security first will continue to be a top priority. We will communicate further advancements on our commitment to secure identity for the industry.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"As part of our response, we engaged with law enforcement, notified regulators, published indicators of compromise (IOCs), and provided a customized impact report to affected customers. Along with this report, we shared recommendations to help mitigate possible phishing and social engineering attacks.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Additionally, Okta has taken a number of steps to review and enhance the security of the Okta Help Center. We are also changing how and when access is provisioned to customer administrators as well as that system’s data retention policy.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"While Okta’s production service was not impacted, we continue to strengthen our products and recommend configurations that make our customers more secure. We’ve recently announced features that allow customers to secure their administrative access in an Okta tenant, strengthen session security, and enhance location-based access controls, including:\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"unordered-list\",\"content\":[{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Zero Standing Privileges for Okta Admins: Ensure admin roles are requested, approved, and assigned to authorized users only for the duration that access is needed.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"MFA Required for Protected Actions in Admin Console: Provide an additional layer of protection for critical actions in Okta by requiring step-up authentication for admins to perform high-impact actions.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"In Dynamic Zones, Ability to Detect and Block Requests from Anonymizers to Okta Endpoints: Protect critical assets (e.g, Admin Console, App Dashboard, others) and allow request blocking from specified VPNs, anonymous proxies, and similar.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Customers can now also apply IP binding to Okta products and Admin Console: Invalidate Okta sessions if the source IP changes during the session, which helps prevent session takeover. This is in addition to the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"initial remediation action for binding admin sessions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforce an Allowlisted Network Zone for APIs: Restrict attackers and malware from stealing SSWS tokens, and from replaying them outside of the specified IP range in order to gain unauthorized access.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is committed to putting security first. We are continuing to invest in and deliver enhancements that secure customers, our products and services, and our corporate systems. While we have closed this investigation, our work is not done. In partnership with our customers and others, we know that together we can raise the bar for security practices in our industry. Look for more developments to be announced in the coming weeks.\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"}},{"updatedAt":"2024-06-07T20:58:03.276Z","slug":"/october-security-incident-recommended-actions","node_locale":"en","date":"2023-11-29T08:03:19+00:00","secAuthor":[{"name":"David Bradbury","slug":"david-bradbury","jobTitle":"Chief Security Officer","id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"<p>David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies. </p>\n\n<p>Prior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs. </p>\n\n<p>Bradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=15&h=23&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=29&h=44&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=116&h=174&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=15&h=23&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=29&h=44&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=116&h=174&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#e8e8d8","width":58,"height":87}}}],"title":"October Customer Support Security Incident - Update and Recommended Actions ","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Related Posts: \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Root Cause Analysis [RCA]\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - Nov 3, 2023 / \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Incident\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - Oct 20, 2023\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the wake of the security incident Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"disclosed\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in October 2023 affecting our customer support management system (also known as the Okta Help Center), Okta Security has continued to review our initial analysis \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"shared\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on November 3, re-examining the actions that the threat actor performed. This included manually recreating reports the threat actor ran in the system and the files the threat actor downloaded.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today we are sharing new information that potentially impacts the security of our customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor ran a report on September 28, 2023 at 15:06 UTC that contained the following fields for each user in Okta’s customer support system:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Created Date\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Last Login\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Full Name\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Username\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Email\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Company Name\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Type\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Address\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"[Date of] Last Password Change or Reset\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Role: Name\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Role: Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phone\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mobile\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Time Zone\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SAML Federation ID\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, the only contact information recorded is full name and email address.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks. Okta customers sign-in to Okta’s customer support system with the same accounts they use in their own Okta org. Many users of the customer support system are Okta administrators. It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users. While 94% of Okta customers already require MFA for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security. Please refer to product documentation to enable MFA for the admin console (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/mfa/mfa-enable-admins.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Classic\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/mfa/mfa-enable-admins.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OIE\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\").\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How we discovered this\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Following the publication of the RCA on November 3, Okta Security reviewed our initial analysis of the actions that the threat actor performed, including manually recreating the reports that the threat actor ran within the customer support system. We identified that the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation. After additional analysis, we concluded that the report contained a list of all customer support system users. The discrepancy in our initial analysis stems from the threat actor running an unfiltered view of the report. Our November review identified that if the filters were removed from the templated report, the downloaded file was considerably larger - and more closely matched the size of the file download logged in our security telemetry.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We also identified additional reports and support cases that the threat actor accessed, which contain contact information of all Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We are working with a third-party digital forensics firm to validate our findings and we will be sharing the report with customers upon completion.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Implementing recommended best practices\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend all customers immediately take the following actions to defend against potential attacks that target their Okta administrators.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multi-Factor Authentication (MFA): We strongly recommend all Okta customers secure admin access using MFA at a minimum. We also strongly encourage customers to enroll administrative users in phishing resistant authenticators (such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards) and to enforce phishing resistance for access to all administrative applications. Please refer to product documentation to enable MFA for the admin console (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/mfa/mfa-enable-admins.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Classic\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/mfa/mfa-enable-admins.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OIE\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\").\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Admin Session Binding: As communicated in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Incident RCA\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", customers can now enable an Early Access feature in Okta that requires admins to reauthenticate if their session is reused from an IP address with a different ASN (Autonomous System Number). Okta strongly recommends customers enable this feature to further secure admin sessions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Admin Session Timeout: To align with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://pages.nist.gov/800-63-4/sp800-63b.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"NIST AAL3\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" guidelines and increase the security posture of every customer, Okta is introducing Admin Console timeouts that will be set to a default of 12-hour session duration and a 15-minute idle time. Customers will have the option to edit these settings. This will be available as an Early Access feature starting November 29th for preview orgs and December 4th for production orgs. The feature will be available for all production orgs by January 8th, 2024. An email was sent to all Super Admins regarding this change on November 27th, and a copy of that communication can be found in the Knowledge Base article: \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/admin-session-lifetime-idle-timeout-security-enhancements?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Admin Session Lifetime/Idle Timeout Security Enhancements\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phishing Awareness: In addition, Okta customers should be vigilant of phishing attempts that target their employees and especially wary of social engineering attempts that target their IT Help Desks and related service providers. We recommend Okta customers implement our industry-leading, phishing-resistant methods for enrollment, authentication, and recovery. Please see \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/architecture/pr/pr-overview.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Solutions for Phishing Resistance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for more information on protecting your organization from phishing. We also strongly recommend that customers review their IT Help Desk verification processes and ensure that appropriate checks, such as visual verification, are performed before performing high risk actions such as password or factor resets on privileged accounts.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2024-06-07T03:39:23.442Z","slug":"/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause","node_locale":"en","date":"2023-11-03T09:08:48+00:00","secAuthor":[{"name":"David Bradbury","slug":"david-bradbury","jobTitle":"Chief Security Officer","id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"<p>David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies. </p>\n\n<p>Prior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs. </p>\n\n<p>Bradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=15&h=23&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=29&h=44&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=116&h=174&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=15&h=23&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=29&h=44&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=116&h=174&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#e8e8d8","width":58,"height":87}}}],"title":"Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Executive Summary\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"We offer our apologies to those affected customers, and more broadly to all our customers that trust Okta as their identity provider. We are deeply committed to providing up-to-date information to all our customers.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"On Thursday, October 19, Okta advised customers of a security incident. Having finalized our investigation, we can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers. Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks. The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"The unauthorized access to Okta’s customer support system leveraged a service account stored in the system itself. This service account was granted permissions to view and update customer support cases. During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Failure to identify file downloads in customer support vendor logs\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"For a period of 14 days, while actively investigating, Okta did not identify suspicious downloads in our logs. When a user opens and views files attached to a support case, a specific log event type and ID is generated tied to that file. If a user instead navigates directly to the Files tab in the customer support system, as the threat actor did in this attack, they will instead generate an entirely different log event with a different record ID.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s initial investigations focused on access to support cases, and subsequently we assessed the logs linked to those cases. On October 13, 2023, BeyondTrust provided Okta Security a suspicious IP address attributed to the threat actor. With this indicator, we identified the additional file access events associated with the compromised account.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Investigation Timeline\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-09-29 1Password reports suspicious activity to Okta Support.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-09-29 Okta Security begins an investigation, suspecting that 1Password was most likely the victim of malware or a phishing attack.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-09-29 to 2023-10-02 Okta Security meets with 1Password on 9/29, 9/30, 10/1 and 10/2 in an attempt to resolve their support case.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-02 BeyondTrust reports suspicious activity to Okta Support.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-02 to 2023-10-11 Okta Security meets with 1Password and BeyondTrust multiple times from 10/2 to 10/11.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-12 A third customer reports suspicious activity to Okta Support.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-13 BeyondTrust provides Okta Security an indicator of compromise (IP address) associated with the event they reported to Okta Support on 10/2.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-16 Using the supplied IP address, Okta Security identifies a service account associated with previously unobserved events in the customer support system logs.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-17 Okta Security disables the service account and terminates associated sessions.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-17 Okta Security copies and examines all files identified in the customer support system logs that were accessed by the threat actor. 134 Okta customers or less than 1% of Okta customers had a file accessed by the threat actor.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-17 Okta Security revokes the Okta session tokens embedded in the HAR files.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-17 Okta Security investigates whether the threat actor attempted to access customer Okta instances using these files.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-18 Okta Security notifies a fourth Okta customer targeted by the adversary.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-18 Okta Security identified a gap in the logs from the customer support system, missing the final hours that the threat actor had access. A re-run query now returns a complete picture of adversary activity.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-19 Okta Security identifies additional files downloaded by the threat actor that were not previously discovered due to the delay in receiving the logs.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-19 Okta Security revokes the Okta session tokens embedded in the newly discovered HAR files that had been downloaded by the threat actor.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-19 Okta Security identifies Cloudflare as the fifth and final Okta target of the adversary.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-19 Okta alerts all Okta customers with registered security contacts, confirming if they were or were not impacted by the security incident.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-20 Okta publishes public advisory at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://sec.asqula.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/harfiles\"},\"content\":[]}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-20 to 2023-11-02 Okta is focused on helping all customers, answering their questions and rolling out remediation steps.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-11-02 Okta notifies all Okta customers with registered security contacts of the root cause and remediation steps.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-11-03 Okta publishes root cause and remediation steps at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/harfiles\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://sec.asqula.com/harfiles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Remediation Tasks\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Disabled the compromised service account (Complete)\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Okta has disabled the service account in the customer support system.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2. Blocking the use of personal Google profiles with Google Chrome (Complete)\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Okta has implemented a specific configuration option within Chrome Enterprise that prevents sign-in to Chrome on their Okta-managed laptop using a personal Google profile.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Enhanced monitoring for the customer support system (Complete)\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has deployed additional detection and monitoring rules for the customer support system.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"4. Binding Okta administrator session tokens based on network location (Complete)\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators. Okta administrators are now forced to re-authenticate if we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal.\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"}},{"updatedAt":"2024-07-11T01:51:14.460Z","slug":"/articles/2023/10/tracking-unauthorized-access-oktas-support-system","node_locale":"en","date":"2023-10-20T14:41:32+00:00","secAuthor":[{"name":"David Bradbury","slug":"david-bradbury","jobTitle":"Chief Security Officer","id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"<p>David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies. </p>\n\n<p>Prior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs. </p>\n\n<p>Bradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=15&h=23&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=29&h=44&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=116&h=174&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=15&h=23&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=29&h=44&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=116&h=174&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#e8e8d8","width":58,"height":87}}}],"title":"Tracking Unauthorized Access to Okta's Support System","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Note: All customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within the course of normal business, Okta support will ask customers to upload an \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oag/en-us/content/topics/access-gateway/troubleshooting-with-har.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"HTTP Archive (HAR)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attacks such as this highlight the importance of remaining vigilant and being on the lookout for suspicious activity. We are sharing the following Indicators of Compromise to assist customers who wish to perform their own threat hunting activity. We recommend referring to our previously \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/02/user-sign-and-recovery-events-okta-system-log\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"published advice\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on how to search System Log for any given suspicious session, user or IP. Please note that the majority of the indicators are commercial VPN nodes according to our enrichment information.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP Addresses\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"23.105.182.19\\n104.251.211.122\\n202.59.10.100\\n162.210.194.35 (BROWSEC VPN)\\n198.16.66.124 (BROWSEC VPN)\\n198.16.66.156 (BROWSEC VPN)\\n198.16.70.28 (BROWSEC VPN)\\n198.16.74.203 (BROWSEC VPN)\\n198.16.74.204 (BROWSEC VPN)\\n198.16.74.205 (BROWSEC VPN)\\n198.98.49.203 (BROWSEC VPN)\\n2.56.164.52 (NEXUS PROXY)\\n207.244.71.82 (BROWSEC VPN)\\n207.244.71.84 (BROWSEC VPN)\\n207.244.89.161 (BROWSEC VPN)\\n207.244.89.162 (BROWSEC VPN)\\n23.106.249.52 (BROWSEC VPN)\\n23.106.56.11 (BROWSEC VPN)\\n23.106.56.21 (BROWSEC VPN)\\n23.106.56.36 (BROWSEC VPN)\\n23.106.56.37 (BROWSEC VPN)\\n23.106.56.38 (BROWSEC VPN)\\n23.106.56.54 (BROWSEC VPN)\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User-Agents\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mozilla/5.0 (Windows NT 10.0) \\nAppleWebKit/537.36 (KHTML, like Gecko) \\nChrome/99.0.7113.93 Safari/537.36\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"(Legitimate, but older user-agent)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) \\nAppleWebKit/537.36 (KHTML, like Gecko) \\nChrome/99.0.4844.83 Safari/537.36\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"(Legitimate, but older user-agent)\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2024-06-07T03:39:23.605Z","slug":"/articles/2023/09/go-secure-default-custom-admin-roles-it-support-staff","node_locale":"en","date":"2023-09-14T20:54:01+00:00","secAuthor":[{"name":"Brett Winterford","slug":"brett-winterford","jobTitle":"VP, Okta Threat Intelligence","id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"<p>Brett Winterford is Vice President of Okta Threat Intelligence.  Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats.  Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. </br> Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank.  Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#887808","width":58,"height":47}}}],"title":"Go “Secure by Default” With Custom Admin Roles for IT support staff","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"The Takeaway: Creating custom roles for your help desk staff supports a “least privilege” approach.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"In late August, Okta’s Defensive Cyber Operations team \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"outlined a social engineering campaign\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in which a target’s IT support staff - that is, the team responsible for common help desk tasks, were tricked into resetting the authenticators of users with the most privileged roles in an organization.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the many \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"recommendations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" made in response to this event was to constrain the permissions of IT support staff in ways that prevent them from performing operations on highly privileged users. The best way to do this is to create and assign a Custom Admin Role for IT Support staff.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"As the name suggests, Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" provides the ability to create customized administrative roles with the least privileges required. These roles can be constrained by what tasks the administrator can perform, and what resources (users, groups, apps, workflows etc) the admin can perform those tasks in.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles can subsequently be used to remove all other administrators from the resource set assigned to your IT Support staff.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Detailed instructions are available in the following \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/assigning-custom-admin-roles-to-it-support-staff?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Knowledge Based Article\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"}},{"updatedAt":"2024-06-25T18:19:21.977Z","slug":"/articles/2023/08/cross-tenant-impersonation-prevention-and-detection","node_locale":"en","date":"2023-08-31T18:31:36+00:00","secAuthor":[{"name":"Defensive Cyber Operations","slug":"defensive-cyber-operations","jobTitle":"","id":"40144a58-c93f-5b84-895a-5658f212b168","bio":{"bio":"<p>The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.</p>"},"image":null}],"title":"Cross-Tenant Impersonation: Prevention and Detection","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Summary\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Organization (tenant).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When successful, the threat actor demonstrated novel methods of lateral movement and defense evasion.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These methods are preventable and present several detection opportunities for defenders.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In recent weeks, multiple US-based Okta customers have reported a consistent pattern of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/07/social-engineering-getting-more-extreme-fixes-can-be-simple\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"social engineering\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" attacks against their IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The attackers then \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/07/unexpected-endorsement-webauthn\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"leveraged their compromise\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tactics, Techniques and Procedures\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security has identified a cluster of activity in which:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Threat actors appeared to either have a) passwords to privileged user accounts or b) be able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account. In the case of Okta customers, the threat actor targeted users assigned with Super Administrator permissions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor would access the compromised account using anonymizing proxy services and an IP and device not previously associated with the user account.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The compromised Super Administrator accounts were used to assign higher privileges to other accounts, and/or reset enrolled authenticators in existing administrator accounts. In some cases, the threat actor removed second factor requirements from authentication policies.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor was observed configuring a second Identity Provider to act as an \\\"impersonation app\\\" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From this “source” IdP, the threat actor manipulated the username parameter for targeted users in the second “source” Identity Provider to match a real user in the compromised “target” Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is Inbound Federation?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/concepts/identity-providers/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Inbound Federation\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" allows access to applications in a target Identity Provider (IdP) if the user has successfully authenticated to a source IdP. The feature can also be used for Just-in-time (JIT) provisioning of users. It’s a feature that is used to save months off mergers, acquisitions and divestitures. It is also popular with large organizations (such as global parent companies) that require central controls or globally provision one set of applications (while also empowering divisions to have some level of autonomy for their own policies and apps).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given how powerful this is, access to create or modify an Identity Provider is limited to users with the highest permissions in an Okta organization - Super Administrator or Org Administrator. It can also be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/custom-admin-role/about-role-permissions.htm#IdP_permissions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"delegated to a Custom Admin Role\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to reduce the number of Super Administrator’s required in large, complex environments.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These recent attacks highlight why protecting access to highly privileged accounts is so essential.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prevention\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Based on our analysis of this intrusion, we recommend Okta customers implement our industry-leading, phishing-resistant methods for enrollment, authentication and recovery; restrict the use of highly privileged accounts, and apply dedicated access policies for administrative users and monitor and investigate anomalous use of functions reserved for privileged users.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A more detailed set of recommendations is listed below:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protect sign-in flows by \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/07/unexpected-endorsement-webauthn\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"enforcing phishing-resistant authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with Okta FastPass and FIDO2 WebAuthn.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enable \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/admin-console-protected-actions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protected Actions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (under \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Settings > Features\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\") to force re-authentication whenever an administrative user attempts to perform sensitive actions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configure Authentication Policies (Application Sign-on Policies) for access to privileged applications, including the Admin Console, to require re-authentication “at every sign-in”.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If using self-service recovery, initiate recovery with the strongest available authenticator, and limit recovery flows to trusted networks (by IP, ASN or geolocation).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Review and consolidate the use of Remote Management and Monitoring (RMM) tools by help desk personnel, and block execution of all other RMM tools.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Strengthen help desk identity verification processes using visual verification.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Turn on and test New Device and Suspicious Activity \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/Security_General.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"end-user notifications\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Take a \\\"Zero Standing Privileges\\\" approach to administrative access. Assign administrators \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/custom-admin-role/about-creating-custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with the least permissions required for daily tasks, and require dual authorization for JIT (just-in-time) access to more privileged roles.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/09/go-secure-default-custom-admin-roles-it-support-staff\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Constrain custom help desk roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with resource sets that exclude groups of highly privileged administrators.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforce dedicated admin policies - Assign all administrators to groups. Require users in these groups to sign-in from managed devices and via phishing resistant MFA (Okta FastPass, FIDO2 WebAuthn). Restrict this access to trusted Network Zones and deny access from anonymizing proxies.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apply ASN and IP Session Binding (from \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Settings > Features\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\") to all administrative apps to prevent the replay of stolen administrative sessions.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detection and Response\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The following System Log events and Workflows templates can be adapted to detect several of the TTPs listed above.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Stage of Attack\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflows Templates/Further Advice\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detect AiTM phishing using FastPass\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_mfa\\\" AND result eq \\\"FAILURE\\\" AND outcome.reason eq \\\"FastPass declined phishing attempt\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/workflows-templates/blob/master/workflows/monitor_unsuccessful_phishing_attempts/readme.md\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Monitor Unsuccessful Phishing Attempts\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Denied Access due to ASN/IP Session Binding\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.session.detect_client_roaming\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/how-to-test-the-bind-admin-sessions-to-asn-feature?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Support article\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Alert on Factor Resets\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.mfa.factor.reset_all\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/workflows-templates/blob/master/workflows/trigger_notifications_when_all_mfa_factors_are_res/readme.md\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trigger Notifications when All MFA Factors are Reset\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Alert on Factor Downgrades\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There is no System Log event for a Factor downgrade. To monitor all activation and deactivation events, use the following query:\\n\\neventType sw\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\\"system.mfa.factor\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/workflows-templates/blob/master/workflows/tracking_and_alerting_for_possible_account_takeove/readme.md\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tracking and Alerting for Possible Account Takeover Events\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Alert on User Suspicious Activity Reports\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.account.report_suspicious_activity_by_enduser\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Activity Reported\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Alert on New Behaviors during Access to Okta Admin Console\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"policy.evaluate_sign_on\\\" and target.displayName eq \\\"Okta Admin Console\\\" and debugContext.debugData.behaviors co \\\"POSITIVE\\\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"and\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"policy.evaluate_sign_on\\\" and target.displayName eq \\\"Okta Admin Console\\\" and debugContext.debugData.LogOnlySecurityData co \\\"POSITIVE\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend administrators use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-policy-rule.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Expression Language\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to alert on access to the Admin Console from users that meet the following conditions:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"security.behaviors.contains('New IP') && security.behaviors.contains('New Device')\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Alert on Sign-In Attempts via Anonymizing Proxies\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.session.start\\\" \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"and \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"securityContext.isProxy eq \\\"true\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend administrators deny sign-ins from these services in policy using a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/network/create-dynamic-zone.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Dynamic Network Zone\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Alert on Creation of an Identity Provider by a Super Administrator or Org Administrator\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"system.idp.lifecycle.create\\\"\\n\\n\\n\\t\\t\\tAlternative that includes all creation and modification events:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType sw \\\"system.idp.lifecycle\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend delegating access to this feature to a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/custom-admin-role/about-creating-custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Role\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with the minimum required permissions.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Alert on Sign-In Events via a Third-Party Identity Provider\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_IDP\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend alerting on these events if the organization does not currently use the Inbound Federation feature.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Indicators of Compromise\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For the period 2023-07-29 to 2023-08-19\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP addresses:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"24.189.245.79\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"74.105.157.5\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"174.199.192.95\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"98.113.77.43\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"108.21.89.22\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"75.252.4.33\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"73.205.234.246\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"99.25.84.9\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"185.56.83.225\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"96.244.225.43\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Change Log\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.2 - Mar 8, 2024\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Updated recommendations to include new features released as part of Okta Secure Identity Commitment: Protected Actions, ASN/IP Session Binding.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Updated detections section to include System Log event for for an authentication failure arising from session binding.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.1 - Sep 9, 2023\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Updated Prevention section to include advice on constraining help desk administrators to specific user groups.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Updated Detection section. While defenders can alert on IdP creation (eventType eq \\\"system.idp.lifecycle.create\\\"), an alternative approach is to alert on any creation or modification using the \\\"starts with\\\" qualifier (eventType sw \\\"system.idp.lifecycle\\\")\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.0 - Sep 1, 2023\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Original Version Published\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2024-06-07T21:27:19.039Z","slug":"/articles/2023/08/byo-telephony-and-future-sms-okta","node_locale":"en","date":"2023-08-28T21:23:39+00:00","secAuthor":[{"name":"Ben King","slug":"ben-king","jobTitle":"VP, Security Trust & Culture","id":"15f85411-1854-5e47-b48b-c00cd215bafd","bio":{"bio":"<p>Ben King is the Vice President for Security Trust and Culture at Okta. He leads the Field Security, Customer Assurance, Customer Audit, Security Communications and Culture teams operating across the Americas, Europe and APJ. Prior to joining Okta, Ben was in a regional cybersecurity leadership role for Symantec, and spent 11 years at the Commonwealth Bank of Australia in a variety technology and cybersecurity strategy and governance roles, including as Cybersecurity lead for Europe. Ben has built a reputation for creating and leading high performing teams, having lived and worked in Australia, the United Kingdom, Canada and the USA. He holds a Bachelor of Engineering and a Bachelor of Commerce from the University of Sydney.</p><p> </p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/324uLkdOfj2XYPSpvXc8lH/2f6c417af2a3e3d074faac828bf8b9cf/ben-king-okta-trust.png?w=15&h=16&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/324uLkdOfj2XYPSpvXc8lH/2f6c417af2a3e3d074faac828bf8b9cf/ben-king-okta-trust.png?w=29&h=31&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/324uLkdOfj2XYPSpvXc8lH/2f6c417af2a3e3d074faac828bf8b9cf/ben-king-okta-trust.png?w=58&h=61&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/324uLkdOfj2XYPSpvXc8lH/2f6c417af2a3e3d074faac828bf8b9cf/ben-king-okta-trust.png?w=116&h=122&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/324uLkdOfj2XYPSpvXc8lH/2f6c417af2a3e3d074faac828bf8b9cf/ben-king-okta-trust.png?w=58&h=61&q=50&fm=png","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/324uLkdOfj2XYPSpvXc8lH/2f6c417af2a3e3d074faac828bf8b9cf/ben-king-okta-trust.png?w=15&h=16&q=50&fm=png 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/324uLkdOfj2XYPSpvXc8lH/2f6c417af2a3e3d074faac828bf8b9cf/ben-king-okta-trust.png?w=29&h=31&q=50&fm=png 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/324uLkdOfj2XYPSpvXc8lH/2f6c417af2a3e3d074faac828bf8b9cf/ben-king-okta-trust.png?w=58&h=61&q=50&fm=png 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/324uLkdOfj2XYPSpvXc8lH/2f6c417af2a3e3d074faac828bf8b9cf/ben-king-okta-trust.png?w=116&h=122&q=50&fm=png 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#e8e8e8","width":58,"height":61}}}],"title":"BYO Telephony and the future of SMS at Okta","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SMS has long played an important role as a universally applicable method of verifying a user’s identity via one-time passcodes. And over the last decade, SMS and voice-based Multi-factor Authentication has prevented untold attempts to compromise user accounts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But it’s time to move on.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As of August 2023, any new Okta customer choosing to authenticate users via SMS or voice must configure their own \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/telephony/about-telephony.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Telephony\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" provider, just as they would any other \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/MFA_Custom_Factor.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"custom IdP\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/mfa-totp-seed.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"custom TOTP\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" factor. Starting September 15, 2024, at time of renewal, all existing customers must also bring their own telephony provider if they choose to continue to use SMS or voice.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In order to maintain flexibility, Okta doesn’t intend to deprecate the SMS authenticator. Nonetheless, Okta Security urges customers to accelerate their transition to passwordless with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/phishingasaservice\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"phishing-resistant factors\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" like FastPass or FIDO2 WebAuthn.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The good news? Migrating users to FastPass comes at no additional licensing cost.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SMS offers limited assurance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Let’s explore some of the reasons why customers should begin planning a transition away from SMS/Voice:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SMS lacks phishing resistance\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The one-time secret communicated in an SMS is not cryptographically bound in any way to the authenticator. There is nothing to stop an adversary from extracting the secret during phishing or social engineering attacks, and modern phishing tools make it trivial to defeat SMS-based authentication. Phishing Resistance is a property that only Okta FastPass, FIDO2 Webauthn and PIV Smart Cards offer in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/Content/Topics/identity-engine/authenticators/phishing-resistant-auth.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" today.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. The channel for sending secrets is outside of your organization’s control\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Personal webmail and SMS are two categories of authenticator in which the channel for communication of a secret lies outside of the control of the IT administrator. This property can and often has been exploited by adversaries. The most common form of abuse is when adversaries convince support staff at telecommunications providers to perform a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://krebsonsecurity.com/2022/08/how-1-time-passcodes-became-a-corporate-liability/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"SIM Swap\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", moving the target account for one time secrets to a mobile device they control. There are other examples of adversaries using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cyber.nj.gov/informational-report/sim-swapping-attacks\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"social engineering or bribes\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with staff at telecommunications providers to perform SIM swapping. At the more extreme end, adversaries have attacked telecommunications providers or organizations that generate OTPs directly in an attempt to perform SIM Swaps or intercept OTPs sent to user devices.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. SMS does not offer device signals\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As described above, SMS doesn’t link a user with a device they possess with very high assurance. This is a property that Okta Verify (both using FastPass or Push notifications) and FIDO2 WebAuthn can satisfy. FastPass Device Assurance can also \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/Content/Topics/identity-engine/devices/device-assurance.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"assess the posture (health) of the device\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" associated with a user signing in. Little wonder that given a choice, adversaries tend to add and use SMS/voice factor over others to sign-in to compromised accounts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4. SMS underperforms on usability\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As Okta’s recent \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/the-secure-sign-in-trends-report/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Secure SignIn Trends\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" report demonstrated, it takes around three times longer for a user to login via password and SMS than via passwordless, phishing resistant authenticators. It’s also more subject to user error, generating large volumes of benign events that offer little in the way of confidence to a security analyst.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What your regulator thinks of SMS\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It doesn’t take an expert in forecasting to note which way the wind is blowing for SMS-based MFA. As far back as 2017, NIST recommended against using phone-based authentication such as SMS in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://pages.nist.gov/800-63-3/sp800-63b.html#restricted\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"800-63-3 guidance document\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Earlier this month, the US Cyber Safety Review Board \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"recommended\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that \\\"organizations urgently implement improved access controls and authentication methods and transition away from voice and SMS-based MFA.\\\" In a recent settlement, the Federal Trade Commission (FTC) specifically \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://iapp.org/news/a/the-ftcs-rapidly-evolving-standards-for-mfa/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"prohibited a company\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" from using SMS-based MFA. And it’s not just in the United States. The UK’s National Cyber Security Centre (NCSC) recommends organizations to consider alternatives to SMS. “There are many ways by which SMS can be compromised and full defence against such attacks is not possible”. The Central Bank of Malaysia now \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.bnm.gov.my/-/financial-crime-exhibition-speech-en\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"requires banks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to make the same transition. Next door, Singapore’s Monetary Authority of Singapore (MAS) intends to “\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sg.finance.yahoo.com/news/sms-otp-mas-set-deadline-banks-phase-out-sole-authentication-factor-024151724.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAJabatKOPTP5ITkmNL-pVh89mrlMdbVmAYHnJDaMbk5QtWPq6RWmsglGOH1W-6TSMmwverZsQcECVk__ZyC2NFzYgcBXj6gvJ2-y5qdChNfw-6pzPuekRro7kRZZHnv0YadqCu_vc6Z6B1MjFhLknkMyCXa28VGS0FiOmS8-uo2Z\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"set a deadline\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for all retail banks to phase out the use of Short Messaging Service (SMS) one-time passwords (OTP) as a sole authentication factor for high-risk transactions.\\\" Which means, again \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"per our pals at CISA\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", “phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort”.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SMS and Shared Responsibility\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At Okta, we are regularly impressed by the different ways our customers leverage identity to create value in their organizations. We also endeavor to make it easy for those customers to deliver the most secure and user-friendly authentication experience. Strong, user-friendly authentication is provided by Okta Verify as part of the Okta service, and meets most use cases. We offer a broad range of other authenticators to choose from too. Customers are free to choose SMS and voice for authentication, if the use case requires and its use is within risk tolerance. That said, if your organization chooses to authenticate users via SMS, it’s important to perform your own due diligence on which SMS/telephony provider best meets your needs.\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2024-06-11T22:35:22.483Z","slug":"/articles/2023/08/saying-no-thanks-noauth","node_locale":"en","date":"2023-08-04T22:26:49+00:00","secAuthor":[{"name":"Laremy Legel","slug":"laremy-legel","jobTitle":"Senior Manager, Security Communications","id":"9e460982-03d4-534b-9941-c9f366f4daea","bio":{"bio":"<p>Prior to joining Okta recently as a Senior Communications Manager, Laremy Legel worked for Amazon Web Services (AWS). Upon joining AWS in 2014, he delivered communications on topics such as Zero Trust, Defense in Depth, Confidential Computing, and global privacy regulations. After bringing two services to market (AWS Artifact and Amazon Macie), Laremy transitioned to assist the CISO of AWS and co-founded the first dedicated cloud security conference, AWS re:Inforce, in 2019.  </p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#f8f8f8","width":58,"height":58}}}],"title":"Saying “No Thanks” to nOAuth","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You may have heard about a vulnerability called, “nOAuth”, where, per Microsoft, “use of the email claim from access tokens for authorization can lead to an escalation of privilege.” What is this vulnerability, how can Okta help, and what are the mitigation steps and strategies to keep your own environment nOAuth free? Let’s break it down!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is nOAuth?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Discovered in April of 2023, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.descope.com/blog/post/noauth\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"by researchers at descope\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", the nOAuth vulnerability relies on user accounts being merged by an Microsoft Azure AD OAuth application in a way that allows the attacker to takeover a user account.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The vulnerable condition was observed in several unique combinations of OAuth applications, identity providers, and where “Log in with Microsoft” was offered as a sign-in method. While the research named Microsoft-specific methods of sign-in, we feel there are lessons to be learned by all developers of OAuth apps, irrespective of which identity provider they rely on.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The nOAuth Attack\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The attack works like this: adversaries first create a new Azure AD administrator account (in an attacker-owned tenant) and alter its email address to match that of their intended target. There are two unique conditions that must be met for this to result in account takeover.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An OAuth application must:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trust the “email” claim for verifying users (which is not a recommended practice), and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Merge user accounts whenever a user signs-in via “Sign in with Microsoft” (social login). The user must have previously signed into the app using some alternative mechanism to trigger the merge event.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the application merges user accounts without proper validation, the attacker gains control over the target's application account, even if the victim didn't have a Microsoft account to sign-in with.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While many elements must align for this attack to work, the nOAuth attack is difficult to remedy in that it requires remediative action by both the Identity Provider (in this case, Microsoft) and the vulnerable third-party application.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Got it. What does Microsoft say about all this?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Microsoft released \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://learn.microsoft.com/en-us/azure/active-directory/develop/migrate-off-email-claim-authorization\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"guidance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://msrc.microsoft.com/blog/2023/06/potential-risk-of-privilege-escalation-in-azure-ad-applications/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"how to manage the nOAuth vulnerability\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", including:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Never use an email claim for authorization purposes.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Modify the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://learn.microsoft.com/en-us/graph/applications-authenticationbehaviors?tabs=http\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"authenticationBehaviors\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" API to reject unverified email claims to mitigate the risk for existing applications.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When developers are ready to update their code and migrate users to an immutable identifier, like OID, they can use the “xms_edov” claim to verify the email address is verified in the Azure AD tenant before the user identifier is changed.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Microsoft also told customers that it, “deployed mitigations to omit token claims from unverified domain owners for most applications”. As such, given the above advice and mitigations, we’ve mostly reached the end of the nOAuth saga. However, there’s more to consider on the topic, and we’d be remiss (and we hate being remiss) if we didn’t go a bit deeper here, because now that we know the what and how of nOAuth, we can bring the Okta world and philosophy into focus.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Saying “No Thanks” to nOAuth\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"First off, it's important to note that this vulnerability stems from a misplaced trust in self-asserted email addresses. However, the novel (and alarming) part of nOAuth is that the attack works across Azure AD tenants, rather than being contained within them.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By contrast, the Okta Workforce Identity Cloud (WIC) is architected around per-tenant (“Okta Org”) federation, and it's up to the Org administrator to determine what identifiers to support. Our tenant boundary is strict: an org administrator can't impersonate users in a different org. Our risk lens is even more granular: by using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2022/07/build-highly-scalable-secure-apps/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"per-application signing keys\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", administrators can also mitigate risk across application instances, even within a single org.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One easy remediation within Okta's Universal Directory is configuring \\\"primaryEmail\\\" to be a read-only attribute that end users cannot change (see screenshot below).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4UVEYrFI7wsHmCqNGhpX3G\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This attribute can also be sourced from HR or other external systems of record; these are the typical solutions for a workforce deployment.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While Okta Customer Identity offers the option to allow unverified emails to be used as part of Self-Service Registration (see screenshot below); the blast radius is again squarely within the tenant itself.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"2qhsm84O46GwgEaMNse0Ze\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Furthermore, the issuer of Microsoft tokens is \\\"MicrosoftOnline\\\", whereas for Okta it is your-org.asqula.com.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This vulnerability relies on the concept of leveraging a third-party “social login” combined with a reliance on unverified user-controlled input. Okta allows for a much more secure implementation, including detection tools that greatly diminish the opportunity for this type of third-party vulnerability. In general, applications should be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/guides/validate-id-tokens/main/#verify-the-claims\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"verifying JSON Web Token (JWT) claims\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\":\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The iss (issuer) claim matches the identifier of your Okta authorization server.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The aud (audience) claim should match the Client ID that you used to request the ID Token. This will be the Client ID for the Application you created in Okta.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The iat (issued at time) claim indicates when this ID token was issued, expressed in Unix time.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The exp (expiry time) claim is the time at which this token will expire., expressed in Unix time. You should make sure that this time has not already passed.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The nonce claim value should match whatever was passed when you requested the ID token.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The iss (issuer) must be validated in order to make sure the org that generated the JWT is indeed the correct one.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We’ve also introduced two capabilities to our Customer Identity Cloud (CIC) to reduce the attack surface. For starters, we default to setting the email_verified claim to “false” for users:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"7BnwEU2Kd0VU7NJSh4l4rT\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"CIC has also implemented an email verification flow:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"6kYRT9hlPgmFZJyslV0pRN\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If a customer takes the steps listed above, a nOAuth attack will be stopped at this screen:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4CJvacI3ZHei2GNwrt9Ytp\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This can be a simple (yet effective) way to avoid this type of account takeover. If your application requires that the emails from an Azure AD/ADFS connection's users are always verified, you can enable the “enable email verification” flow during login for Azure AD and ADFS connections option in the tenant's Advanced Settings section.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"After the user authenticates for the first time with a non-verified email, CIC will then ask the user to verify their email by entering a one-time-use code that will be sent to their email account. If the user completes this step, the email_verified field will be set to true, and users will not be prompted again for email verification, unless Azure AD or ADFS return a different email for the user.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"And there you have it, tools and tips you can use in your Okta environments to help mitigate the nOAuth vulnerability. As always, regularly testing and validating your identity program is a critical step for your overall security health, we hope you’ve found a few things you can implement today.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2025-05-01T18:16:44.238Z","slug":"/articles/2023/08/telling-more-okta-detection-stories-google-chronicle","node_locale":"en","date":"2023-08-02T17:42:12+00:00","secAuthor":[{"name":"Defensive Cyber Operations","slug":"defensive-cyber-operations","jobTitle":"","id":"40144a58-c93f-5b84-895a-5658f212b168","bio":{"bio":"<p>The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.</p>"},"image":null}],"title":"Telling More Okta Detection Stories with Google Chronicle ","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Robust protection comes from layers, and many of you are already familiar with the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://en.wikipedia.org/wiki/Swiss_cheese_model\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Swiss Cheese Model\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Simply stated, even when you're confident in your primary controls, that confidence only grows with each additional layer added. Because who wants to have a defense that’s built around a single slice of sad cheese, wrapped in a pitiful film of plastic? No thanks, we’ll take that sturdy block of Swiss each and every time.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Of course, given how thin most security teams are spread, robust layering is often easier said than done. Not every security team has the luxury of dedicated Detection Engineers to craft, research and develop custom logic to catch threat actor activity, and not every security team has the time and skill to synthesize and recreate our logic in other SIEM platforms. With this in mind, Okta Security \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"recently published a number of our bespoke detections\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“But,” quoth the game show hosts, “ that’s not all!” Today we’re excited to share that Chronicle and Okta have been collaborating to help these detections reach an even wider audience. And this time around, the Chronicle team threw a few extra slices of cheese on top!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Not only did they rewrite these detections for their environment, they also did their own research and wrote additional detections. You can read more about each of them over at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.googlecloudcommunity.com/gc/Community-Blog/Better-Together-Detecting-Suspicious-Okta-Events-with-Google/ba-p/721331\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle’s blog\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". We’ve described them below too.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To channel the words of Oprah, “You get a new detection, and you get a new detection, and you get a new detection!”\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Phishing Detection with FastPass Origin Check\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1566/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1566\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phishing\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_phishing_detection_with_fastpass_origin_check.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_phishing_detection_with_fastpass_origin_check\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta provides a platform detection for when a user enrolled in FastPass fails to authenticate via a real-time AiTM phishing proxy.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/fastpassphishingdetection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detecting Real-Time Phishing Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_mfa\\\" AND result eq \\\"FAILURE\\\" AND outcome.reason eq \\\"FastPass declined phishing attempt\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Successful MFA After Multiple Failures\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Access\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_mfa_brute_force_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_mfa_brute_force_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects a successful login after multiple failed MFA pushes\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/pushfatigueworkflows\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using Workflows to Respond to Anomalous Push Requests\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Repeated MFA Rejections by User\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_rejected_multiple_push_notifications.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_rejected_multiple_push_notifications\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects when an Okta user rejects more than 2 Push notifications in a 10 minute window.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/pushfatigueworkflows\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using Workflows to Respond to Anomalous Push Requests\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_mfa\\\" AND outcome.result=\\\"FAILURE\\\" and outcome.reason=\\\"INVALID_CREDENTIALS\\\" and debugContext.debugData.factor eq \\\"OKTA_VERIFY_PUSH\\\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Classic Engine\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq  \\\"user.mfa.okta_verify.deny_push\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Use of an Okta Session Cookie\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1539/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1539\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Steal Web Session Cookie\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_suspicious_use_of_a_session_cookie.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_suspicious_use_of_a_session_cookie\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects when an adversary attempts to reuse a stolen web session cookie in a different device that has a different OS, IP, Browser or User Agent.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/sessioncookietheft\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Defending against Session Hijacking\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Failed Number Challenge\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1621/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1621\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multi-Factor Authentication Request Generation\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_failed_number_challenge_during_push_notification.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_failed_number_challenge_during_push_notification\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects when an Okta user failed a number challenge during push notification.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/Number-Challenge-for-Okta-Verify\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Number Challenge for Okta Verify\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mismatch Between Source and Response for Verify Push Request\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1621\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1621\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multi-Factor Authentication Request Generation\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_mismatch_between_source_and_response_for_verify_push_request.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_mismatch_between_source_and_response_for_verify_push_request\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Mismatch Between Source and Response for Verify Push Request\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and Splunk Combine to Detect Common Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multiple Failed Users with Invalid Credentials from the same IP\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects multiple user logins with invalid credentials from a single IP.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Reported Suspicious Activity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Account\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_suspicious_activity_reported.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_suspicious_activity_reported\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: An Okta user reports suspicious activity in response to an end user security notification.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Activity Reporting\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.account.report_suspicious_activity_by_enduser\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multiple Failed Requests to Access Okta Applications\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1550/004/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1550.004\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use Alternate Authentication Material: Web Session Cookie\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_multiple_failed_requests_to_access_applications.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_multiple_failed_requests_to_access_applications\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects multiple failed requests to access applications\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and Splunk Combine to Detect Common Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Suspected Brute Force\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/001/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.001\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force: Password Guessing\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_suspected_brute_force_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_suspected_brute_force_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Okta ThreatInsight detects multiple login failures from the same IP across one or more Okta orgs\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" and outcome.reason eq \\\"Login Failures\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Suspected Targeted Brute Force\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_targeted_brute_force_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_targeted_brute_force_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Okta ThreatInsight detects access requests from known malicious IPs targeting a specific org.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.attack.start\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Login Failure with High Unknown Users\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/004/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.004\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force: Credential Stuffing\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_login_failure_with_high_unknown_users.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_login_failure_with_high_unknown_users\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta's ThreatInsight can identify multiple login failures with high unknown users count from the same IP across one or more Okta orgs.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" AND outcome.reason co \\\"Login failures with high unknown users count\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Suspected Password Spray Attack\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/003/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.003\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force: Password Spraying\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_suspected_password_spray_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_suspected_password_spray_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta's ThreatInsight can identify Password Spray attacks.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" and outcome.reason eq \\\"Password Spray\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Successful Login Evaluated as High Risk\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_successful_high_risk_user_logins.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_successful_high_risk_user_logins\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects successfully authenticated user logins based on Okta's Behavior Detection pattern analysis.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/behavior-detection/logs-behavior-detection.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Behavior Detection System Log events\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"outcome.result eq \\\"SUCCESS\\\" and debugContext.debugData.risk co \\\"HIGH\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta User Account Lockout\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_account_lockout.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_account_lockout\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects when a user's account is locked out or a user account has reached the lockout limit.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/resources/whitepaper/how-adaptive-mfa-helps-mitigate-brute-force-attacks\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"How Adaptive MFA Helps Mitigate Brute Force Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.account.lock\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"New Okta API Token Created\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle Identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_new_api_token_created.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_new_api_token_created\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects when a new API token is created.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/guides/tokens/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tokens\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"system.api_token.create\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Out of Hours Successful Authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_login_out_of_hours.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_login_out_of_hours\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects out of hours successful authentication.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/User-Signin-and-Recovery-Events-in-the-Okta-System-Log\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Sign-in and Recovery Events in the Okta System Log\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Logins from Multiple Cities\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_logins_from_multiple_cities.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_logins_from_multiple_cities\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects user logins for the same user from different cities within 24 hours.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/behavior-detection/logs-behavior-detection.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Behavior Detection System Log events\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We found this exercise to be fulfilling. Writing YARA-L queries is new to us, but they have been super easy to read and collaborate on. Even if you’re not a Chronicle customer, you might find it valuable to read the detection logic in Chronicle to frame your thinking about how you might go about detecting these types of threats.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What’s next?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once we’re happy with our detections, phishing resistant factors and other control slices; where should we invest our energy next? I’d suggest considering what an adversary might now need to do for persistence and lateral movement. Perhaps they could socially engineer a new factor, a managed device or even a whole new account?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Best get thinking about how you’d detect:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User factors added or modified \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/reference/api/event-types/#catalog\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"(user.mfa.factor*)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"New users created (user.lifecycle.create)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Devices added to MDM\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Remote Monitoring and Management tool installation or execution\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"VM installation on workstations\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Duplicate hostnames\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Gouda luck!\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2024-06-07T21:46:05.008Z","slug":"/articles/2023/07/unexpected-endorsement-webauthn","node_locale":"en","date":"2023-07-27T01:43:04+00:00","secAuthor":[{"name":"Defensive Cyber Operations","slug":"defensive-cyber-operations","jobTitle":"","id":"40144a58-c93f-5b84-895a-5658f212b168","bio":{"bio":"<p>The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.</p>"},"image":null},{"name":"Brett Winterford","slug":"brett-winterford","jobTitle":"VP, Okta Threat Intelligence","id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"<p>Brett Winterford is Vice President of Okta Threat Intelligence.  Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats.  Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. </br> Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank.  Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#887808","width":58,"height":47}}}],"title":"An Unexpected Endorsement for WebAuthn","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security endorses phishing resistant authentication at every opportunity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We’ve long argued enrolling users in Okta FastPass, FIDO2 WebAuthn authenticators or Smart Cards, and enforcing phishing resistant authentication flows will:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protect users against \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/phishingasaservice\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"real-time phishing proxies\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and other forms of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/sessioncookietheft\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"session hijacking\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Solve for far more attacks than simply adding Number Challenge to Push notifications to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/pushfatigueworkflows\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"defeat MFA Fatigue\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Offer \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/fastpassphishingdetection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"detection opportunities\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" via System Log and the automation of phishing remediation, identifying potential account takeovers and preventing future attacks in a few seconds.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Provide a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/the-secure-sign-in-trends-report/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"superior user experience\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", without any adverse impacts on enrolment duration or failure rates.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But don’t take our word for it.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The SMS below was recently sent by a prolific threat actor attempting to convince users at a large tech company to click through to a phishing kit:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"7HJAWRoNL2BhR1QErz58io\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"That’s probably the best endorsement for enforcing phishing-resistant sign-in yet!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforcement is everything\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Celebrity endorsements aside, this is a story about enforcement.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Step one to thwarting phishing attacks is to require users to enroll in strong authenticators. Users required to enroll in Okta FastPass or FIDO2 WebAuthn can authenticate to just about any app that requires two distinct factors. Independently, each of these two authenticators can each satisfy possession and inherence factors in 2-3 seconds.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But that’s not where the task ends.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As this crafty lure demonstrates, Step two is to enforce phishing resistance in policy, as seen in the screenshot below. Social engineers may otherwise convince users to accept a lower assurance authenticator (passwords, OTPs, push notifications), on the chance that those sign-in methods satisfy policy requirements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"6hmPALkOzevI3fGYl5mFev\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This lure also demonstrates why a little redundancy can go a long way.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend requiring users to enroll in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"both\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Okta FastPass and FIDO2 WebAuthn (rather than FastPass “or” FIDO2), as well as enforcing phishing resistance.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"That might sound like overkill: both authenticators would prevent the user from compromise, and both can be configured to satisfy two factors in one gesture. So why have both enrolled?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If a threat actor did manage to convince a user to unplug their security key, the tricked user would still be able to sign-in to your organization using FastPass - just not via the attacker’s proxy! And as an added bonus, it may ease the pain on support teams if users are prone to misplacing their security keys.\",\"marks\":[],\"data\":{}}]}]}"}}]}},"pageContext":{"limit":10,"skip":50,"numBlogPages":9,"currentPage":6}},
    "staticQueryHashes": []}