Okta Suspicious Activity Reported

name: Okta Suspicious Activity Reported
id: bfc840f5-c9c6-454c-aa13-b46fd0bf1e79
version: 10
date: '2026-03-10'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment.
data_source:
    - Okta
search: |-
    `okta` eventType=user.account.report_suspicious_activity_by_enduser
      | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage)
        BY user dest src
           eventType client.userAgent.rawUserAgent client.userAgent.browser
           client.geographicalContext.city client.geographicalContext.country
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `okta_suspicious_activity_reported_filter`
how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). Additionally, it necessitates the activation of suspicious activity reporting and training for associates to report such activities.
known_false_positives: False positives should be minimal, given the high fidelity of this detection. marker.
references:
    - https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A user [$user$] reported suspicious activity in Okta. Investigate further to determine if this was authorized.
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Okta Account Takeover
    asset_type: Okta Tenant
    mitre_attack_id:
        - T1078.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: access
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.log
          source: Okta
          sourcetype: OktaIM2:log