Detection rules › Panther
Potential Compromised Okta Credentials
Identifies high-confidence credential compromise by detecting Okta login without Push Security verification followed by Push Security phishing attack within 60 minutes. This sequence indicates an attacker authenticated to Okta with stolen credentials then attempted MFA fatigue or push bombing attacks. The correlation of both events provides strong evidence of active account compromise requiring immediate response.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1598 Phishing for Information |
| Initial Access | T1078 Valid Accounts |
| Credential Access | T1539 Steal Web Session Cookie, T1621 Multi-Factor Authentication Request Generation |
Rule body yaml
AnalysisType: correlation_rule
RuleID: "Potential.Compromised.Okta.Credentials"
DisplayName: "Potential Compromised Okta Credentials"
Enabled: false
Tags:
- Okta
- Push Security
- Credential Compromise
- Phishing
- Configuration Required
Reports:
MITRE ATT&CK:
- TA0001:T1078 # Initial Access: Valid Accounts
- TA0006:T1539 # Credential Access: Steal Web Session Cookie
- TA0006:T1598 # Credential Access: Phishing for Information
- TA0006:T1621 # Credential Access: Multi-Factor Authentication Request Generation
Severity: Critical
Description: >
Identifies high-confidence credential compromise by detecting Okta login without Push Security verification followed by Push Security phishing attack within 60 minutes. This sequence indicates an attacker authenticated to Okta with stolen credentials then attempted MFA fatigue or push bombing attacks. The correlation of both events provides strong evidence of active account compromise requiring immediate response.
Runbook: |
1. Query Okta System Log for all actions taken during the compromised session by actor.alternateId between the unauthorized login and Push Security phishing attack, looking for application access, data downloads, configuration changes, or privilege escalations
2. Review the Push Security phishing attack details to identify the attacker's tactics, timing, and social engineering methods, then analyze the source IP address from the Okta login using threat intelligence feeds to determine if it's associated with known malicious infrastructure
3. Query email logs and security awareness training platforms for phishing emails targeting the user in the 30 days before the compromise to identify the potential credential theft vector
Reference: https://www.okta.com/resources/datasheet/okta-adaptive-multi-factor-authentication-product-datasheet/
Detection:
- Sequence:
- ID: Login Without Push Marker
RuleID: Okta.Login.Without.Push.Marker
- ID: Push Phishing
RuleID: Push.Security.Phishing.Attack
Transitions:
- ID: Match on user
From: Login Without Push Marker
To: Push Phishing
WithinTimeFrameMinutes: 60
Match:
- From: actor.alternateId
To: new.employee.email
Schedule:
RateMinutes: 1440
TimeoutMinutes: 10
LookbackWindowMinutes: 2160
Tests:
- Name: Login Without Marker, Followed By Phishing Detection
ExpectedResult: true
RuleOutputs:
- ID: Login Without Push Marker
Matches:
actor.alternateId:
frodo.baggins@hobbiton.com:
- 0
- ID: Push Phishing
Matches:
new.employee.email:
frodo.baggins@hobbiton.com:
- 3
- Name: Login Without Marker, Followed By Phishing Detection for Different User
ExpectedResult: false
RuleOutputs:
- ID: Login Without Push Marker
Matches:
actor.alternateId:
frodo.baggins@hobbiton.com:
- 0
- ID: Push Phishing
Matches:
new.employee.email:
samwise.gamgee@hobbiton.com:
- 3
- Name: Login Without Marker, Not Followed By Phishing Detection
ExpectedResult: false
RuleOutputs:
- ID: Login Without Push Marker
Matches:
actor.alternateId:
frodo.baggins@hobbiton.com:
- 0
Detection logic
Stage 1: step Login Without Push Marker ordered before $Push Phishing
References detection Okta.Login.Without.Push.Marker.
Stage 2: step Push Phishing ordered after $Login Without Push Marker
References detection Push.Security.Phishing.Attack.