Okta Threat Intelligence

The Okta Threat Intelligence detection is recorded when Okta identifies activity from infrastructure used by threat actors. For example, the account is flagged if a sign-in attempt originates from an IP address that Okta has high confidence is part of a phishing operation.

Detection risk level: High

These detections are considered high risk because Okta Threat Intelligence curates these interactions. The IPs hosting the infrastructure are tagged to events in ITP for short periods of time.

Policy configuration

In your entity risk policy, set these conditions:

  • Detection: Okta Threat Intelligence
  • Entity risk level: High
  • Take this action: Run a Workflow to determine whether the user authenticated through the malicious infrastructure.
    1. If an event is found, add an action for Universal Logout to terminate all active sessions for the user.
    2. If an event isn't found, run a Workflow to notify the SOC team to begin an investigation.

Remediation strategy

  1. Immediate action: Run the workflow. Based on your policy configuration, Universal Logout should terminate the session.

  2. Block the threat: Add the malicious IP address to a blocked network zone to prevent any future attempts from that source.

  3. Investigate: Review the System Log for the event. Note the malicious IP, user agent, and any actions the attacker attempted to perform. Relevant events include user.mfa.factor.activate, user.mfa.factor.deactivate, user.mfa.factor.update, user.mfa.factor.suspend, user.mfa.factor.unsuspend, and user.mfa.factor.reset_all. You can also investigate the user's mailbox for suspicious emails, and review recent network traffic for signs of compromise. If you suspect phishing requests from SMS, reach out to the users directly.

  4. Secure the account:

    • Contact the user through an out-of-band method (phone call, Slack/Teams) to confirm they weren't the source of the activity.

    • Initiate a mandatory password reset for the user.

    • Review all enrolled MFA factors with the user to ensure the attacker didn't register their own device.

Some methods of detection don't require a sign-in request to successfully reach Okta's services, so there's no corresponding user sign-in event in System Log. This can occur when improperly formatted requests are redirected to Okta by a phishing site. Review web and email ingress and egress logs in your environment for any IP tagged in these detections to identify any further targeting by the threat actor.