Okta New Device Enrolled on Account
Description
The following analytic identifies when a new device is enrolled on an Okta account. This behavior is indicative of a user adding a new device to their account. This activity is common when a user is setting up a new device or when a user has lost access to their previous device. However, this activity can also be indicative of an adversary adding a new device to an account to maintain access to an account. Monitoring for this activity can help detect potential account takeover attempts or unauthorized access to Okta accounts.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Change
- Last Updated: 2024-03-8
- Author: Michael Haag, Mauricio Velazco, Splunk
- ID: bb27cbce-d4de-432c-932f-2e206e9130fb
Annotations
ATT&CK
Kill Chain Phase
- Installation
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category
| `drop_dm_object_name("All_Changes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_new_device_enrolled_on_account_filter`
Macros
The SPL above uses the following Macros:
okta_new_device_enrolled_on_account_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- displayMessage
- user
- eventType
- client.userAgent.rawUserAgent
- client.userAgent.browser
- client.geographicalContext.city
- client.geographicalContext.country
How To Implement
The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
Known False Positives
It is possible that the user has legitimately added a new device to their account. Please verify this activity.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
24.0 | 40 | 60 | A new device was enrolled on an Okta account for user [$user$]. Investigate further to determine if this was authorized. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1098/005/
- https://developer.okta.com/docs/reference/api/event-types/?q=device.enrollment.create
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2