Skip to content

Latest commit

 

History

History
19 lines (17 loc) · 17.2 KB

ds_okta_okta_adaptive_mfa.md

File metadata and controls

19 lines (17 loc) · 17.2 KB

Vendor: Okta

Product: Okta Adaptive MFA

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
142 54 17 14 55
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access user-create:success (account-creation)
okta-amfa-json-user-create-success-usercreation

user-enable:success (account-enabled)
okta-amfa-json-user-enable-success-published

user-lock:fail (account-lockout)
okta-amfa-cef-app-login-success-appadloginsuccess
okta-amfa-cef-app-login-success-coreuserauthloginsuccess
okta-amfa-mix-app-login-success-securitycontext
okta-amfa-cef-app-login-fail-apprichclientloginfailure
okta-amfa-json-user-lock-success-lockedout

user-password-modify:success (account-password-change)
okta-amfa-sk4-user-password-modify-success-passwordupdate

user-password-reset:success (account-password-reset)
okta-amfa-cef-user-password-reset-success-pwdreset-1
okta-amfa-cef-user-password-reset-success-pwdreset
okta-amfa-cef-user-password-reset-success-pwdreset-1
okta-amfa-cef-user-password-reset-success-pwdreset

scheduled_task-trigger:success (app-activity)
okta-amfa-cef-app-login-success-appadloginsuccess
okta-amfa-cef-app-login-success-coreuserauthloginsuccess
okta-amfa-mix-app-login-success-securitycontext
okta-amfa-cef-app-login-fail-apprichclientloginfailure
okta-amfa-cef-app-login-success-userauthverify
okta-amfa-sk4-app-published
okta-amfa-csv-app-login-success-securitycontext
okta-amfa-json-app-activity-success-appgroup
okta-amfa-json-app-activity-published
okta-amfa-json-app-app
okta-amfa-sk4-app-appactivity

app-login:success (app-login)
okta-amfa-json-app-login-success-signin
okta-amfa-json-app-login-success-activedirectory
okta-amfa-json-app-login-success-startnewsession
okta-amfa-kv-app-login-success-singlesignon
okta-amfa-sk4-app-login-success-signin
okta-amfa-json-app-login-success-iwaauthentication
okta-amfa-json-app-login-success-oauth2signon
okta-amfa-json-app-login-success-signinsuccessful
okta-amfa-json-app-login-success-singlesignon-1
okta-amfa-json-app-login-success-singlesignon
okta-amfa-json-app-login-success-evaluatesignon
okta-amfa-json-app-login-success-radiusagent
okta-amfa-cef-app-login-success-userssosuccess
okta-amfa-sk4-app-published
okta-amfa-cef-app-login-success-appadloginsuccess
okta-amfg-json-endpoint-login-success-authviaradius
okta-amfa-cef-app-login-success-coreuserauthloginsuccess
okta-amfa-mix-app-login-success-securitycontext
okta-amfa-cef-app-login-fail-apprichclientloginfailure
okta-amfa-csv-app-login-success-securitycontext
okta-amfa-json-app-activity-published
okta-amfa-json-app-app
okta-amfa-sk4-app-appactivity
okta-amfa-json-app-login-success-signon
okta-amfa-json-app-login-success-evaluatesignon-1

endpoint-login:fail (authentication-failed)
okta-amfg-cef-endpoint-login-fail-auth
okta-amfg-cef-endpoint-login-fail-invalidtoken
okta-amfg-cef-endpoint-login-fail-attemptfail
okta-amfa-cef-app-login-success-userauthverify

endpoint-login:success (authentication-successful)
okta-amfg-cef-endpoint-login-success-attemptsuccess
okta-amfa-json-endpoint-login-success-userlogin
okta-amfa-json-endpoint-login-success-authenticateuser
okta-amfa-sk4-endpoint-login-inbounddelauth
okta-amfa-cef-app-login-success-userauthverify

app-login:fail (failed-app-login)
okta-amfa-sk4-endpoint-login-inbounddelauth
okta-amfa-cef-app-login-fail-coreuserauthloginfailed
okta-amfa-cef-app-login-success-appadloginsuccess
okta-amfg-json-endpoint-login-success-authviaradius
okta-amfa-cef-app-login-success-coreuserauthloginsuccess
okta-amfa-mix-app-login-success-securitycontext
okta-amfa-cef-app-login-fail-apprichclientloginfailure
okta-amfa-csv-app-login-fail-signfailed
okta-amfa-csv-app-login-success-securitycontext
okta-amfa-kv-app-login-fail-signinfailure
okta-amfa-mix-app-login-fail-activedirectory
okta-amfa-json-app-login-fail-policy
okta-amfa-json-app-login-fail-useraccountlock
okta-amfa-json-app-login-fail-factor
okta-amfa-json-app-login-fail-signin
okta-amfa-json-app-login-fail-signinfailed
okta-amfa-json-app-login-fail-signinfailed-1
okta-amfa-json-app-login-fail-signinfailure
okta-amfa-mix-app-login-fail-suspiciousactivity
okta-amfa-sk4-app-appactivity
okta-amfa-json-app-login-success-evaluatesignon-1

group-member-add:success (member-added)
okta-amfa-json-group-member-add-success-active
okta-amfa-sk4-group-member-add-success-adduser

group-member-remove:success (member-removed)
okta-amfa-sk4-group-member-remove-success-groupmembership
 T1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 16 Rules
  • 4 Models
Account Manipulation user-create:success (account-creation)
okta-amfa-json-user-create-success-usercreation

user-password-modify:success (account-password-change)
okta-amfa-sk4-user-password-modify-success-passwordupdate

user-password-reset:success (account-password-reset)
okta-amfa-cef-user-password-reset-success-pwdreset-1
okta-amfa-cef-user-password-reset-success-pwdreset
okta-amfa-cef-user-password-reset-success-pwdreset-1
okta-amfa-cef-user-password-reset-success-pwdreset

scheduled_task-trigger:success (app-activity)
okta-amfa-cef-app-login-success-appadloginsuccess
okta-amfa-cef-app-login-success-coreuserauthloginsuccess
okta-amfa-mix-app-login-success-securitycontext
okta-amfa-cef-app-login-fail-apprichclientloginfailure
okta-amfa-cef-app-login-success-userauthverify
okta-amfa-sk4-app-published
okta-amfa-csv-app-login-success-securitycontext
okta-amfa-json-app-activity-success-appgroup
okta-amfa-json-app-activity-published
okta-amfa-json-app-app
okta-amfa-sk4-app-appactivity

group-member-add:success (member-added)
okta-amfa-json-group-member-add-success-active
okta-amfa-sk4-group-member-add-success-adduser

group-member-remove:success (member-removed)
okta-amfa-sk4-group-member-remove-success-groupmembership
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 46 Rules
  • 19 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

 Create Account

External Remote Services

Valid Accounts

Account Manipulation

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

Exploitation for Privilege Escalation

 Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Obfuscated Files or Information

 Brute Force

 Email Collection

Email Collection: Email Forwarding Rule

 Proxy: Multi-hop Proxy

Proxy