credential_access_mfa_push_brute_force.toml

[metadata]
creation_date = "2022/01/05"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/11/07"
integration = "okta"

[rule]
author = ["Elastic"]
description = """
Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the
user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured
for an organization to obtain unauthorized access.
"""
index = ["filebeat-*", "logs-okta*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Abuse of Repeated MFA Push Notifications"
note = """## Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
  "https://www.mandiant.com/resources/russian-targeting-gov-business",
  "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"]
risk_score = 73
rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7"
severity = "high"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"]
type = "eql"

query = '''
sequence by user.email with maxspan=10m
  [any where event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"]
  [any where event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"]
  [any where event.module == "okta" and event.action == "user.authentication.sso"]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"