Giters

splunk / security_content

Splunk Security Content

Home Page:https://research.splunk.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Apparent improper logic in Okta Verify Push detection

SethHanford opened this issue · comments

commented

While doing testing on this logic, I noticed that the combination of eventType and outcome.result do not match Okta Verify Push rejections. The referenced "user.authentication.auth_via_mfa" does not return FAILURE during a Verify Push rejection; when a user rejects a push, the combination logged is: eventType=="user.mfa.okta_verify.deny_push" AND outcome.result=="FAILURE"

I've successfully tested this with Okta events in Azure Sentinel, but I do not have a Splunk environment to test and confirm a fix to issue a PR.

security_content/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml

Line 46 in 16526a4

sum(eval(if(eventType="user.authentication.auth_via_mfa" AND

Note that you'll also need to include the eventType for "deny_push" in the core search:

security_content/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml

Line 29 in 16526a4

search: '`okta` eventType IN (system.push.send_factor_verify_push) OR

commented

Hello @SethHanford,

I apologize for the delay in addressing your concern. I appreciate your keen eye and in-depth testing on the logic, especially in the context of Okta.
To your point about the use of DC instead of sum: you're correct, the sum will yield a larger number. However, we chose to use DC primarily due to the behavior of threat actors (TAs) upon gaining access to an Okta session. TAs often engage in an exploration phase, clicking around to map the extent of their access. This behavior, which deviates from typical user activity, becomes a significant indicator for us.

Additionally, some user sessions can extend over a long duration, where users continually launch different apps from the dashboard. This frequent activity could potentially dilute the ratio we later employ in the detection process. Hence, while the sum could yield a higher value, DC offers a more accurate measure in the context of this detection logic.

As for the analytic's logic, it has been effectively functioning in our environment, however, it's important to recognize that each organization's setup and risk tolerance may vary significantly. Definitely mold the analytic as you see fit.

I hope this helps!

commented

Hey Michael, not sure if I wasn't clear or if my report got confused with someone else's, but I don't think your reply addresses my concern. When I tested multiple denials of Okta push events, each denial was logged as "user.mfa.okta_verify.deny_push"

The logic on line 46 & 47 is:
sum(eval(if(eventType="user.authentication.auth_via_mfa" AND
"outcome.result"="FAILURE",1,0))) as total_rejected

I believe it should be:
sum(eval(if(eventType="user.mfa.okta_verify.deny_push" AND
"outcome.result"="FAILURE",1,0))) as total_rejected