[Rule Tuning] Potential Okta MFA Bombing via Push Notifications (#5073)

terrancedejesus · w0rk3r · web-flow · commit 02fcd43dbde6 · 2025-09-11T16:24:09.000-04:00
* updated rule logic

* adjusted similar rule; added factor specification

* updated investigation guide

---------

Co-authored-by: Jonhnathan &lt;26856693+w0rk3r@users.noreply.github.com&gt;
diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/11/18"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/09/10"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ user eventually accepts the Okta push notification. An adversary may attempt to
 for an organization to obtain unauthorized access.
 """
 event_category_override = "event.category"
-index = ["filebeat-*", "logs-okta*"]
+index = ["filebeat-*", "logs-okta.system*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Okta MFA Bombing via Push Notifications"
@@ -60,29 +60,41 @@ references = [
 ]
 risk_score = 73
 rule_id = "8a0fbd26-867f-11ee-947c-f661ea17fbcd"
-setup = """## Setup
-
-The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
-"""
 severity = "high"
 tags = [
+    "Domain: Identity",
     "Use Case: Identity and Access Audit",
     "Tactic: Credential Access",
     "Data Source: Okta",
+    "Data Source: Okta System Logs",
     "Resources: Investigation Guide",
 ]
 type = "eql"
 
 query = '''
 sequence by okta.actor.id with maxspan=10m
-  [authentication where event.dataset == "okta.system"
-    and okta.event_type == "user.mfa.okta_verify.deny_push"] with runs=5
-  until [authentication where event.dataset == "okta.system"
-    and (okta.event_type: (
-      "user.authentication.sso",
-      "user.authentication.auth_via_mfa",
-      "user.authentication.verify",
-      "user.session.start") and okta.outcome.result == "SUCCESS")]
+  [ any
+    where event.dataset == "okta.system"
+      and (
+        okta.event_type == "user.mfa.okta_verify.deny_push"
+        or (
+          okta.event_type == "user.authentication.auth_via_mfa"
+          and okta.debug_context.debug_data.factor == "OKTA_VERIFY_PUSH"
+          and okta.outcome.reason == "INVALID_CREDENTIALS"
+        )
+      )
+  ] with runs=5
+  until
+  [ any
+    where event.dataset == "okta.system"
+      and okta.event_type in (
+        "user.authentication.sso",
+        "user.authentication.auth_via_mfa",
+        "user.authentication.verify",
+        "user.session.start"
+      )
+      and okta.outcome.result == "SUCCESS"
+  ]
 '''
 
 
diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/01/05"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/09/10"
 
 [rule]
 author = ["Elastic"]
@@ -12,13 +12,13 @@ user eventually accepts the Okta push notification. An adversary may attempt to
 for an organization to obtain unauthorized access.
 """
 event_category_override = "event.category"
-index = ["filebeat-*", "logs-okta*"]
+index = ["filebeat-*", "logs-okta.system*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Potentially Successful MFA Bombing via Push Notifications"
+name = "Potentially Successful Okta MFA Bombing via Push Notifications"
 note = """## Triage and analysis
 
-### Investigating Potentially Successful MFA Bombing via Push Notifications
+### Investigating Potentially Successful Okta MFA Bombing via Push Notifications
 
 Multi-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.
 
@@ -65,23 +65,38 @@ risk_score = 73
 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7"
 severity = "high"
 tags = [
+    "Domain: Identity",
     "Use Case: Identity and Access Audit",
     "Tactic: Credential Access",
     "Data Source: Okta",
+    "Data Source: Okta System Logs",
     "Resources: Investigation Guide",
 ]
 type = "eql"
 
 query = '''
 sequence by okta.actor.id with maxspan=10m
-  [authentication where event.dataset == "okta.system" and event.module == "okta"
-    and event.action == "user.mfa.okta_verify.deny_push"] with runs=3
-  [authentication where event.dataset == "okta.system" and event.module == "okta"
-    and (event.action : (
-      "user.authentication.sso",
-      "user.authentication.auth_via_mfa",
-      "user.authentication.verify",
-      "user.session.start") and okta.outcome.result == "SUCCESS")]
+  [ any
+    where event.dataset == "okta.system"
+      and (
+        okta.event_type == "user.mfa.okta_verify.deny_push"
+        or (
+          okta.event_type == "user.authentication.auth_via_mfa"
+          and okta.debug_context.debug_data.factor == "OKTA_VERIFY_PUSH"
+          and okta.outcome.reason == "INVALID_CREDENTIALS"
+        )
+      )
+  ] with runs=5
+  [ any
+    where event.dataset == "okta.system"
+      and okta.event_type in (
+        "user.authentication.sso",
+        "user.authentication.auth_via_mfa",
+        "user.authentication.verify",
+        "user.session.start"
+      )
+      and okta.outcome.result == "SUCCESS"
+  ]
 '''
 
 
