Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. technique: T1621 ✕
Show ATT&CK heatmapA user attempted to bypass Okta MFA Low Identity Threat Module 1 variation
A user may have attempted to bypass Okta MFA.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process (T1556) Multi-Factor Authentication Request Generation (T1621)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Contact the user who attempted to bypass MFA and ensure the request was legitimate. Check if the user successfully authenticated after the event.Variations
A successful bypass of Okta MFA
Low overridden
Suspicious MFA bypass attempt in Okta. overridden
AWS console login without MFA Informational Cloud
An identity logged in to the AWS console without MFA.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)Required data: AWS Audit LogAttacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.Multiple Okta MFA requests sent to a user Informational Identity Analytics 1 variation
Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Multi-Factor Authentication Request Generation (T1621)Required data: OktaAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Verify the reasoning behind the MFA request rejections. Follow further actions performed by the user.Variations
Multiple Okta MFA requests sent to a user with unusual characteristics
Low overridden
Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack. overridden