{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/suspicious-activity/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta"],"_cs_severities":["medium"],"_cs_tags":["identity","okta","suspicious-activity"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis alert focuses on detecting when an end-user within an Okta environment reports suspicious activity related to their account. This is a critical indicator that the account may be compromised, or that unauthorized access has occurred. The activity is reported directly by the end-user. While this alert does not directly reveal the method of compromise, it serves as an important signal for security teams to investigate potentially malicious activity. This event triggers from an Okta system log event generated when an end-user utilizes the \u0026ldquo;report suspicious activity\u0026rdquo; feature, available in many Okta deployments. Early detection allows security teams to rapidly respond, contain potential damage, and investigate the source of the suspicious activity. This type of self-reporting by end-users can be an invaluable source of threat intelligence within an organization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an end-user\u0026rsquo;s Okta account, possibly via credential phishing or password reuse.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to perform actions such as accessing applications, changing profile details, or initiating password resets.\u003c/li\u003e\n\u003cli\u003eThe legitimate end-user observes suspicious activity in their Okta account, such as unfamiliar login locations, unauthorized application access, or unexpected password reset requests.\u003c/li\u003e\n\u003cli\u003eThe end-user utilizes the \u0026ldquo;report suspicious activity\u0026rdquo; feature within their Okta account portal.\u003c/li\u003e\n\u003cli\u003eThis action generates an Okta system log event with the eventType \u003ccode\u003euser.account.report_suspicious_activity_by_enduser\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers based on this specific Okta log event.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the reported activity, examining Okta logs and other relevant data sources.\u003c/li\u003e\n\u003cli\u003eBased on the investigation, appropriate remediation steps are taken, such as resetting the user\u0026rsquo;s password, revoking active sessions, and blocking any identified malicious IP addresses.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful account compromise can lead to unauthorized access to sensitive applications and data within the organization. The number of affected users and the impact will depend on the permissions and access granted to the compromised Okta account. This can result in data breaches, financial loss, and reputational damage. Prompt detection of end-user reported suspicious activity allows for rapid incident response, minimizing potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Okta Suspicious Activity Reported by End-user\u0026rdquo; to your SIEM to detect when users report suspicious activity, using \u003ccode\u003eeventType: 'user.account.report_suspicious_activity_by_enduser'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview Okta system logs for further details surrounding the events that prompted the user report (see references for log details).\u003c/li\u003e\n\u003cli\u003eImplement end-user training programs to educate users on how to identify and report suspicious activity.\u003c/li\u003e\n\u003cli\u003eInvestigate all triggered alerts to determine the root cause of the reported suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-17T12:00:00Z","date_published":"2024-01-17T12:00:00Z","id":"/briefs/2024-01-17-okta-suspicious-activity/","summary":"An Okta end-user reports potentially suspicious activity on their account, indicating possible compromise or unauthorized access.","title":"Okta End-User Reports Suspicious Account Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-17-okta-suspicious-activity/"}],"language":"en","title":"CraftedSignal Threat Feed — Suspicious-Activity","version":"https://jsonfeed.org/version/1.1"}