-
Notifications
You must be signed in to change notification settings - Fork 2.9k
/
RareMFAOperation.yaml
37 lines (37 loc) · 2.2 KB
/
RareMFAOperation.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
id: 18667b4a-18e5-4982-ba75-92ace62bc79c
name: Rare MFA Operations (Okta)
description: |
'Multi-Factor Authentication (MFA) helps prevent credential compromise.This query searches for rare MFA operations like deactivating, updating, resetting and attempts to bypass MFA.
Adversaries often attempt these operations to compromise networks and high-value accounts.Please verify that the behavior is known and filter out anything that is expected.
Refrence: https://developer.okta.com/docs/reference/api/event-types/'
requiredDataConnectors:
- connectorId: OktaSSO
dataTypes:
- Okta_CL
tactics:
- Persistence
relevantTechniques:
- T1098
query: |
let Events = dynamic(["user.mfa.factor.update", "system.mfa.factor.deactivate", "user.mfa.attempt_bypass", "user.mfa.factor.reset_all"]);
Okta_CL
| where eventType_s in (Events)
| where outcome_result_s =~ "SUCCESS"
| extend Target=parsejson(target_s)
| mvexpand bagexpansion=array (Target)
| evaluate bag_unpack(Target)
| extend Target_Id = tostring(column_ifexists('id', "")), Target_type = tostring(column_ifexists('type', "")), Target_user = tostring(column_ifexists('displayName', "")), Target_alternateId = tostring(column_ifexists('alternateId', ""))
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_id_s, actor_type_s, actor_alternateId_s, actor_displayName_s, Target_alternateId, Target_Id, Target_type, Target_user,debugContext_debugData_requestUri_s,
debugContext_debugData_requestId_s, domain_s, authenticationContext_externalSessionId_s, eventType_s, displayMessage_s, transaction_id_s, uuid_g, client_userAgent_rawUserAgent_s, client_userAgent_os_s, client_userAgent_browser_s,
client_ipAddress_s, column_ifexists('client_geographicalContext_city_s', ""), column_ifexists('client_geographicalContext_state_s', ""), column_ifexists('client_geographicalContext_country_s', ""), column_ifexists('securityContext_isp_s', "")
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: actor_displayName_s
- identifier: FullName
columnName: Target_user
- entityType: IP
fieldMappings:
- identifier: Address
columnName: client_ipAddress_s