User added a new device to Okta Verify instance

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Okta Audit Log

Detection Modules

Identity Threat Module

Detector Tags

Okta Audit Analytics

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Severity

Informational

Description

The user has successfully registered a new device with the Okta Verify application.

Attacker's Goals

Attackers may exploit the device registration process in Okta by registering unauthorized devices, thereby gaining access to sensitive resources and user accounts within an organization.

Investigative actions

  • Reach out to the user responsible for the device registration to confirm its legitimacy.
  • Examine the user's actions preceding and following the activation of the alert.
  • Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).
  • Make sure the IP address is not showing any abnormal activity.
  • Monitor the activity from the new registered device and ensure that it matches the user's normal activity.

Variations

Suspicious device enrollment to Okta

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Severity

Low

Description

A new device was registered on Okta with suspicious characteristics, which increased the alert severity.

Attacker's Goals

Attackers may exploit the device registration process in Okta by registering unauthorized devices, thereby gaining access to sensitive resources and user accounts within an organization.

Investigative actions

  • Reach out to the user responsible for the device registration to confirm its legitimacy.
  • Examine the user's actions preceding and following the activation of the alert.
  • Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).
  • Make sure the IP address is not showing any abnormal activity.
  • Monitor the activity from the new registered device and ensure that it matches the user's normal activity.