Okta device assignment

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

6 Hours

Deduplication Period

1 Day

Required Data

  • Requires:
    • Okta Audit Log

Detection Modules

Identity Threat Module

Detector Tags

Okta Audit Analytics

ATT&CK Tactic

ATT&CK Technique

Valid Accounts (T1078)

Severity

Informational

Description

A device was assigned as an Okta MFA device to a user.

Attacker's Goals

For purposes of maintaining persistence, an attacker could potentially register his device with various accounts that have been compromised.

Investigative actions

  • Confirm that the device assignments were intentionally made by the users and are legitimate.
  • Examine the IP address and assess its reputation.
  • Continue monitoring the accounts for any subsequent actions that may indicate suspicious behavior.

Variations

A suspicious assignment of a mobile device to multiple users

Synopsis

ATT&CK Tactic

ATT&CK Technique

Valid Accounts (T1078)

Severity

Low

Description

A single device is being used as an Okta MFA device by multiple users.

Attacker's Goals

For purposes of maintaining persistence, an attacker could potentially register his device with various accounts that have been compromised.

Investigative actions

  • Confirm that the device assignments were intentionally made by the users and are legitimate.
  • Examine the IP address and assess its reputation.
  • Continue monitoring the accounts for any subsequent actions that may indicate suspicious behavior.