User added a new device to Okta Verify instance

Cortex XSIAM Analytics Alert Reference by Alert name

Product
Cortex XSIAM
Last date published
2025-01-19
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Okta Audit Log

Detection Modules

Identity Threat Module

Detector Tags

Okta Audit Analytics

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Severity

Informational

Description

The user has successfully registered a new device with the Okta Verify application.

Attacker's Goals

Attackers may exploit the device registration process in Okta by registering unauthorized devices, thereby gaining access to sensitive resources and user accounts within an organization.

Investigative actions

  • Reach out to the user responsible for the device registration to confirm its legitimacy.
  • Examine the user's actions preceding and following the activation of the alert.
  • Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).
  • Make sure the IP address is not showing any abnormal activity.
  • Monitor the activity from the new registered device and ensure that it matches the user's normal activity.

Variations

Suspicious device enrollment to Okta

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Severity

Low

Description

A new device was registered on Okta with suspicious characteristics, which increased the alert severity.

Attacker's Goals

Attackers may exploit the device registration process in Okta by registering unauthorized devices, thereby gaining access to sensitive resources and user accounts within an organization.

Investigative actions

  • Reach out to the user responsible for the device registration to confirm its legitimacy.
  • Examine the user's actions preceding and following the activation of the alert.
  • Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).
  • Make sure the IP address is not showing any abnormal activity.
  • Monitor the activity from the new registered device and ensure that it matches the user's normal activity.