{"id":4527,"date":"2023-11-02T07:00:00","date_gmt":"2023-11-02T07:00:00","guid":{"rendered":"http:\/\/www.sumologic.com\/blog\/okta-evolving-situation-am-i-impacted"},"modified":"2025-06-17T10:45:22","modified_gmt":"2025-06-17T18:45:22","slug":"okta-evolving-situation-am-i-impacted","status":"publish","type":"blog","link":"https:\/\/www.sumologic.com\/blog\/okta-evolving-situation-am-i-impacted","title":{"rendered":"Okta evolving situation: Am I impacted?"},"content":{"rendered":"\n<section class=\"e-stn e-stn-0d652506f82b000a392973813b918ee25d5b4211 e-stn--glossary-inner-content e-stn--table-of-content\"><div class=\"container\">\n<div class=\"wp-block-b3rg-row e-row row\">\n<div class=\"wp-block-b3rg-column e-col e-col-1f7b3997080fc292474d26ff00c905d99d3520fa e-col--content-wrapper  col-sm-12 col-lg-12 col-xl-12\">\n<div class=\"e-div e-div-a1b32f66e1749758df41d5aea14f647cd10e362c e-div--card-btn-link\"><div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1400\" height=\"400\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/OktaBreach_blog_700x200.png\" alt=\"Okta Breach evolving\" class=\"wp-image-4526\" title=\"\"><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<p>Cybersecurity is never boring. In recent months, we\u2019ve seen major <a target=\"_blank\" href=\"https:\/\/www.sumologic.com\/blog\/cyber-attackers-jackpot-vulnerabilities\/\" rel=\"noopener\" data-mce-href=\"https:\/\/www.sumologic.com\/blog\/cyber-attackers-jackpot-vulnerabilities\/\">cyberattacks on Las Vegas casinos<\/a> and <a target=\"_blank\" href=\"https:\/\/www.sumologic.com\/blog\/sec-cybersecurity-disclosure-rules\/\" rel=\"noopener\" data-mce-href=\"https:\/\/www.sumologic.com\/blog\/sec-cybersecurity-disclosure-rules\/\">expanded SEC cybersecurity disclosure rules<\/a><br \/>\n are top of mind. Is it any wonder we consistently recommend taking a<br \/>\nproactive approach to secure your environment with a defense-in-depth<br \/>\nstrategy and appropriate monitoring? <\/p>\n<p>News outlets <a target=\"_blank\" href=\"https:\/\/www.cybersecuritydive.com\/news\/okta-customer-support-system-cyberattack\" rel=\"noopener\" data-mce-href=\"https:\/\/www.cybersecuritydive.com\/news\/okta-customer-support-system-cyberattack\" data-mce->reported<\/a><br \/>\n the recent compromise at the Identity and Authentication (IAM) firm,<br \/>\nOkta. Okta Security discovered unauthorized activity in which a threat<br \/>\nactor accessed Okta&#8217;s support case management system using a stolen<br \/>\ncredential. This breach allowed the intruder to view files that specific<br \/>\n Okta customers uploaded as part of their recent support cases.<\/p>\n<p>Our<br \/>\n Global Operations Center investigated Okta\u2019s evolving situation and so<br \/>\nfar we have no evidence that Sumo Logic, our employees or services are<br \/>\nimpacted in any way. <\/p>\n<p>Okta emphasizes <a target=\"_blank\" href=\"https:\/\/sec.okta.com\/harfiles\" rel=\"noopener\" data-mce-href=\"https:\/\/sec.okta.com\/harfiles\" data-mce->in their blog<\/a><br \/>\n the significance of being alert and monitoring for dubious activities.<br \/>\nTo aid this, a list of Indicators of Compromise is provided, primarily<br \/>\nIP addresses, many of which are linked to commercial VPNs. <\/p>\n<p>Additionally,<br \/>\n they highlight two older user agents, though legitimate, as they might<br \/>\nbe uncommon due to the release of a newer Chrome version in March 2022.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-244a10b563274e48695ebb8356338f54\" id=\"sumo_logic_customers\u00a0\">Sumo Logic customers&nbsp;<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c2b6d96ac6b8616e2d9c14c2c373ce78\">If you are a Sumo Logic customer or if you are trialing Sumo Logic services, we can help you determine if you are at risk.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a7dd7401605c649cd2374da8491032f8\">You can use the <a href=\"https:\/\/www.sumologic.com\/application\/okta\/\">Okta App for Sumo Logic<\/a> to get started with securing your environment by using the Okta logs to determine this potential compromise and much more, including:<\/p>\n\n\n\n<ul>\n<li>Identify top 10 user account lockouts in the last 24 hours<\/li>\n<li>Correlate user account lockout with a successful login<\/li>\n<li>Identify abnormal user activities<\/li>\n<li>Perform geo-velocity analysis<\/li>\n<li>Detect successful and failed logins<\/li>\n<li>Monitor admin activities<\/li>\n<li>Identify accounts with MFA disabled <\/li>\n<\/ul>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-9ecd944708d5bf410b8db8b9da598d96\">Some examples are below:<br><\/p>\n\n\n\n<ul>\n<li>Account granted SSO Administrator privileges<\/li>\n<li>External support access to SSO environment<\/li>\n<li>Password or MFA reset activity by unexpected accounts<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-5e76fb6540bf45e029fc5b869a1f8a24\" id=\"example_attack_paths\">Example attack paths<\/h2>\n\n\n\n<p>Below, we\u2019ll attempt to walk through some of the attack paths an attacker might take to attack your organization via<br \/>\n    SSO. Remember that the below searches are best used for general SSO security monitoring, investigations or feeding<br \/>\n    an entity risk score for risk aggregation, like Cloud SIEM.<\/p>\n<p>The searches we provide throughout the blog are based on Okta logs but can be easily updated for use against any SSO<br \/>\n    provider log. <\/p>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-797c94434bb7ff12c42ebb3a36d6afa6\" id=\"supply_chain_\">Supply chain <\/h3>\n\n\n\n<p>An attacker that manages to compromise any SSO provider directly and subsequently uses that to access or manipulate<br \/>\n    customer environments would fall under a supply chain attack. Defenders should monitor for unusual or unexpected<br \/>\n    access from the SSO provider.<\/p>\n<h4>Unexpected SSO provider service access<\/h4>\n<p>In the example below, we\u2019ll use the Sumo Logic SaaS Log Analytics Platform to search for any activity from Okta<br \/>\n    accounts that should be further investigated. <\/p>\n<div class=\"divcode2\">\n    _sourceCategory=*okta* @okta.com <br \/>\n    | json field=_raw &#8220;eventType&#8221;<br \/>\n    | json field=_raw &#8220;displayMessage&#8221;<br \/>\n    | json field=_raw &#8220;outcome.result&#8221; as outcome<br \/>\n    | json field=_raw &#8220;actor.type&#8221;<br \/>\n    | json field=_raw &#8220;actor.alternateId&#8221; as act_id<br \/>\n    | json field=_raw &#8220;actor.displayName&#8221;<br \/>\n    | json field=_raw &#8220;target[0].alternateId&#8221; as target_id<br \/>\n    | json field=_raw &#8220;target[0].displayName&#8221; as target_Name<br \/>\n    | where act_id != &#8220;system@okta.com&#8221;<br \/>\n    | count eventType,displayMessage,outcome,act_id,target_id\n<\/div>\n<p>The next search (which we would advise be set up to generate an alert when seen) indicates that a <strong>session<br \/>\n        impersonation event<\/strong> has occurred. This should only occur if Okta administrative access has been<br \/>\n    requested by an organization. <\/p>\n<div class=\"divcode2\">\n    _sourceCategory=*okta* &#8220;user.session.impersonation.initiate&#8221;<br \/>\n    | json field=_raw &#8220;actor.alternateId&#8221; as user <br \/>\n    | json field=_raw &#8220;outcome.result&#8221; as result<br \/>\n    | json field=_raw &#8220;outcome.reason&#8221; as outcome<br \/>\n    | json field=_raw &#8220;eventType&#8221; as event<br \/>\n    | json field=_raw &#8220;client.userAgent.rawUserAgent&#8221; as user_agent<br \/>\n    | json field=_raw &#8220;client.userAgent.os&#8221; as os<br \/>\n    | json field=_raw &#8220;client.ipAddress&#8221; as srcIP\n<\/div>\n<h4>Anomalous password resets<\/h4>\n<p>An attacker might also reset user passwords or reset MFA. Looking for instances where unusual accounts are resetting<br \/>\n    passwords or MFA might warrant further analysis.<\/p>\n<div class=\"divcode2\">\n    _sourceCategory=*okta* &#8220;user.account.reset_password&#8221; OR &#8220;user.mfa.factor.deactivate&#8221; OR<br \/>\n    &#8220;user.mfa.factor.reset_all&#8221;<br \/>\n    | json field=_raw &#8220;eventType&#8221;<br \/>\n    | json field=_raw &#8220;published&#8221; as time<br \/>\n    | json field=_raw &#8220;displayMessage&#8221;<br \/>\n    | json field=_raw &#8220;outcome.result&#8221; as outcome<br \/>\n    | json field=_raw &#8220;actor.type&#8221;<br \/>\n    | json field=_raw &#8220;actor.alternateId&#8221; as act_id<br \/>\n    | json field=_raw &#8220;actor.displayName&#8221;<br \/>\n    | json field=_raw &#8220;target[0].alternateId&#8221; as target_id<br \/>\n    | json field=_raw &#8220;target[0].displayName&#8221; as target_Name<br \/>\n    | where act_id != target_id<br \/>\n    \/\/| where !(act_id matches &#8220;&lt;expected user&gt;&#8221; OR act_id matches &#8220;*expected user&gt;*&#8221;)<br \/>\n    | count time,eventType,displayMessage,outcome,act_id,target_id\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-d270cc659545d9bdb95967fad65805b5\" id=\"credential_theft\">Credential theft<\/h3>\n\n\n\n<p>The attacks you are most likely to see are attacks against employee credentials, typically in the form of phishing,<br \/>\n    password spray attacks and MFA fatigue attacks.<\/p>\n<h4>Password spray attacks<\/h4>\n<p>Password spray attacks can take many forms\u2014and security teams should keep an eye for the signs of an ongoing password<br \/>\n    spray attack. <\/p>\n<h4>General awareness &#8211; deviations in failed logins<\/h4>\n<p>It\u2019s not a bad idea to keep an eye on spikes or baseline deviations in failed logins to your SSO provider. Establish<br \/>\n    a baseline of unique accounts with failed logins to your SSO and look for outliers. <\/p>\n<p>This may help identify low and slow password spray attacks and provides a decent 10,000-foot view of attacks or<br \/>\n    probes against your SSO.<\/p>\n<h4>High volume password spray<\/h4>\n<p>One of our favorite ways to identify active password spray attacks is to look for a spike in SSO failed logins<br \/>\n    sourcing from the same ASN. Attackers can change the source of their password spray easily, so building your search<br \/>\n    around a source IP is too narrow. We\u2019ve found grouping by the source ASN and putting a 30 or 60-minute time window<br \/>\n    around it is the sweet spot.<\/p>\n<div class=\"divcode2\">\n    _sourceCategory=&lt;SSO SOURCE&gt; (failure AND &#8220;user.session.start&#8221;)<br \/>\n    | json field=_raw &#8220;actor.alternateId&#8221; as user <br \/>\n    | json field=_raw &#8220;eventType&#8221; as event<br \/>\n    | json field=_raw &#8220;client.userAgent.rawUserAgent&#8221; as user_agent<br \/>\n    | json field=_raw &#8220;client.userAgent.os&#8221; as os<br \/>\n    | json field=_raw &#8220;client.ipAddress&#8221; as srcIP<br \/>\n    | timeslice 30m<br \/>\n    | lookup asn, organization from asn:\/\/default on ip=srcIP<br \/>\n    | lookup country_name from geo:\/\/location on ip=srcIP<br \/>\n    | values(user) as users,values(user_agent) as UA, count_distinct(user) as dist_users by<br \/>\n    organization,ASN,_timeslice,users,UA,country_name<br \/>\n    | where dist_users &gt; 10\n<\/div>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-f1c95292a4bc11c4d8576aabb47441f5\">Another way to look at authentication failures:<\/p>\n\n\n\n<div class=\"divcode2\">\n    _source=&#8221;SSO Source&#8221; &#8220;failure&#8221; !(&#8220;radius&#8221;)<br \/>\n    | json field=_raw &#8220;request.ipChain[0].ip&#8221; as request_ip nodrop<br \/>\n    | json field=_raw &#8220;request.ipChain[0].geographicalContext.country&#8221; as request_country nodrop<br \/>\n    | json field=_raw &#8220;request.ipChain[0].geographicalContext.state&#8221; as request_state nodrop<br \/>\n    | json field=_raw &#8220;target[0].type&#8221; as target_0_type nodrop<br \/>\n    | json field=_raw &#8220;target[*].alternateId&#8221; as target_altid nodrop<br \/>\n    | json field=_raw &#8220;target[0].alternateId&#8221; as target0_altid nodrop<br \/>\n    | json field=_raw &#8220;target[1].alternateId&#8221; as target1_altid nodrop<br \/>\n    | json field=_raw &#8220;actor.alternateId&#8221; nodrop<br \/>\n    | json field=_raw &#8220;client.ipAddress&#8221; nodrop<br \/>\n    | json field=_raw &#8220;outcome.result&#8221; as result nodrop<br \/>\n    | json field=_raw &#8220;securityContext.asNumber&#8221; as asn nodrop<br \/>\n    | json field=_raw &#8220;securityContext.asOrg&#8221; as asn_org nodrop<br \/>\n    | json field=_raw &#8220;securityContext.isp&#8221; as isp nodrop<br \/>\n    | json field=_raw &#8220;client.userAgent.rawUserAgent&#8221; as user_agent nodrop<br \/>\n    \/\/| where !(asn_org matches \u201c*[Your Organizations ASN]*\u201d )<br \/>\n    | timeslice 30m<br \/>\n    | values(target_altid) as users,values(asn_org) as asn_org,values(request_country) as<br \/>\n    country,count_distinct(target_altid) as target_count, count group by request_ip,user_agent,_timeslice<br \/>\n    | where target_count &gt; 10\n<\/div>\n<p>Expanding the search to look for spikes in failed logins over a short time window (10 minutes) can also prove useful<br \/>\n    but can sometimes generate false positives. Think Monday morning when everyone is first logging in or after a<br \/>\n    holiday break and no one can remember their password. <\/p>\n<h4>MFA push notification fatigue<\/h4>\n<p>Adding an additional layer of security on top of SSO is recommended, and the most common method for doing this is in<br \/>\n    the form of push notifications. Once valid credentials have been provided to the SSO platform, an MFA push<br \/>\n    notification will be sent to a pre-enrolled device that requires accepting or acknowledging the attempt to complete<br \/>\n    the login process.<\/p>\n<p>Once an attacker has a username and password, they can attempt to initiate a logon with the hope that the victim<br \/>\n    unknowingly or unintentionally acknowledges the push notification. Believe us when we tell you that this happens<br \/>\n    more often than you think!<\/p>\n<p>To increase their chance of success, attackers will flood or spam victims with push notifications. Okta published a<br \/>\n    great <a href=\"https:\/\/sec.okta.com\/everythingisyes\" target=\"_blank\" rel=\"noopener\">blog<\/a> on this attack technique in early<br \/>\n    March 2022. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1bd420c2f2c7f5c6256ed27f118d1a92\">We\u2019ve adapted their detection for use in Sumo\u2019s CIP:<\/p>\n\n\n\n<div class=\"divcode2\">\n    _source=&lt;SSO LOG SOURCE&gt; (user.authentication.auth_via_mfa or OKTA_VERIFY_PUSH)<br \/>\n    | json field=_raw &#8220;outcome.result&#8221; as result<br \/>\n    | json field=_raw &#8220;actor.alternateId&#8221; as user<br \/>\n    | timeslice 10m<br \/>\n    | if(result=&#8221;SUCCESS&#8221;,1,0) as success| if(result=&#8221;FAILURE&#8221;,1,0) as failure<br \/>\n    | count as total_pushes,sum(success) as success, sum(failure) as failure by user,_timeslice<br \/>\n    | failure\/total_pushes as push_fail_ratio<br \/>\n    | &#8220;No Finding&#8221; as finding<br \/>\n    | if(failure=total_pushes AND total_pushes&gt;1,&#8221;Authentication attempts not successful because multiple pushes<br \/>\n    denied&#8221;,finding) as finding<br \/>\n    | if(total_pushes=0,&#8221;Multiple pushes sent and ignored&#8221;,finding) as finding <br \/>\n    | if(success&gt;0 AND total_pushes&gt;3,&#8221;Multiple pushes sent, eventual successful authentication!&#8221;,finding) as<br \/>\n    finding<br \/>\n    | if(push_fail_ratio&gt;.1,&#8221;High push fail Ratio with successful login detected&#8221;,finding) as finding<br \/>\n    | where finding = &#8220;High push fail Ratio with successful login detected&#8221; and total_pushes &gt; 1\n<\/div>\n<p>This search will identify instances where an account has been observed with a high number of push notifications sent<br \/>\n    with multiple failures with at least one successful login.<\/p>\n<h4>Post SSO compromise activity<\/h4>\n<p>Once an attacker steals credentials and successfully gets a victim to accept a push notification, they have some form<br \/>\n    of access to the organization and its data. We\u2019ve observed attackers performing a variety of actions following<br \/>\n    initial access, which we will discuss below. <\/p>\n<p>Please note that any results that may return from the below searches do not indicate a compromise has occurred and<br \/>\n    should be considered in aggregate with other events of interest associated with the account in question.<\/p>\n<h4>Interesting MFA and password reset activity<\/h4>\n<p>If an attacker has managed to compromise an SSO account, they might reset the account password and update and take<br \/>\n    control of the victim\u2019s MFA. The below CIP search is also looking at Okta data and identifying any accounts that<br \/>\n    have had both an MFA update and password reset event within a specified time window.<\/p>\n<div class=\"divcode2\">\n    _source=&lt;SSO LOG SOURCE&gt; (user.account.reset_password or user.mfa.factor.update)<br \/>\n    | json field=_raw &#8220;eventType&#8221; as action<br \/>\n    | if(action matches&#8221;*reset_password*&#8221;,1,0) as reset_password<br \/>\n    | if(action matches&#8221;*user.mfa.factor.update*&#8221;,1,0) as user_mfa_factor_update<br \/>\n    | json field=_raw &#8220;actor.alternateId&#8221; as user<br \/>\n    | json field=_raw &#8220;target[*].alternateId&#8221; as target_user \/\/identifies target, rather than system@okta.com<br \/>\n    | count, sum(user_mfa_factor_update) as user_mfa_factor_update, sum(reset_password) as reset_password by<br \/>\n    target_user<br \/>\n    | where user_mfa_factor_update&gt;1 and reset_password&gt;1\n<\/div>\n<h4>Unusual SSO app access<\/h4>\n<p>One of the behaviors that we often observe following initial access is the attacker exploring all of the applications<br \/>\n    the compromised account has access to. A user may have access to dozens of published applications, but usually, only<br \/>\n    access a small number of those apps daily.<\/p>\n<p>The behavior of normal user application access looks very different than an attacker who has just gained access to a<br \/>\n    victim\u2019s application portal SSO. Imagine the attacker drooling when they see SalesForce, GitHub, Confluence, Slack<br \/>\n    or PowerBI applications available for access! These applications are a goldmine and you can bet that an attacker<br \/>\n    will attempt to access as many of these applications as possible to discover what data they can steal.<\/p>\n<h4>User application access deviation<\/h4>\n<p>Let\u2019s look for accounts that trigger a deviation for the number of distinct applications that are being accessed by<br \/>\n    an account. If a legitimate user normally accesses five apps a day, but we observe the account accessing 20 apps,<br \/>\n    that might be something worth noting.<\/p>\n<h4>Unauthorized app access attempts<\/h4>\n<p>An attacker that is engaging in discovery activity using compromised SSO credentials will likely attempt to access<br \/>\n    applications that the account does not have the authorization to access. These violations will often have an<br \/>\n    associated log event, which can be useful for defenders attempting to identify suspicious activity. We can use<br \/>\n    another CIP search to identify accounts that have attempted to access multiple applications that the account is not<br \/>\n    authorized to access. <\/p>\n<div class=\"divcode2\">\n    _sourceCategory=&lt;SSO LOG SOURCE&gt; (app.generic.unauth_app_access_attempt OR<br \/>\n    app.oauth2.as.authorize.scope_denied OR app.oauth2.client_id_rate_limit_warning OR<br \/>\n    app.oauth2.invalid_client_credentials OR app.oauth2.invalid_client_ids OR app.oauth2.token.detect_reuse)<br \/>\n    | json field=_raw &#8220;actor.alternateId&#8221; as user <br \/>\n    | json field=_raw &#8220;eventType&#8221; as event<br \/>\n    | json field=_raw &#8220;target[0].displayName&#8221; as appName<br \/>\n    | timeslice 3d<br \/>\n    | values(appName) as appNames, values(event) as event_type, count_distinct(appName) as unique_count by<br \/>\n    user,_timeslice,appNames,event_type<br \/>\n    | where unique_count &gt;=2\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-acafa72cdfe7e2590b1a7d8d476ac884\" id=\"summary\">Summary<\/h3>\n\n\n\n<p>Sumo Logic Saas Log Analytics Platform makes easy work of slicing and dicing your SSO log data to identify potential<br \/>signs of compromised credentials. Furthermore, Sumo Logic Cloud <a href=\"https:\/\/www.sumologic.com\/solutions\/cloud-siem\">SIEM<\/a> provides out-of-the-box security rules for<br \/>normalized authentication log data and additional rules specific to SSO providers. Signals generated from these<br \/>rules apply risk to entities, and Cloud SIEM automatically creates Insights if risk thresholds are exceeded. This<br \/>provides customers with a powerful security solution they can easily adapt and custom tailor to their specific<br \/>environment.<\/p>\n<p>The searches shared above can be used to create dashboards for daily review, trigger email alerts based on various<br \/>parameters to notify your security team of activity of interest, or best of all, send an event to Sumo Logic Cloud<br \/>SIEM to contribute to an entity risk model.<\/p>\n<p>Check out the <a href=\"https:\/\/www.sumologic.com\/guides\/siem\/\">modern SIEM guide<\/a> to learn more or see our product<br \/>in action with the <a href=\"https:\/\/www.sumologic.com\/demos\/\">Cloud SIEM demo<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":133,"featured_media":25755,"template":"","meta":{"_acf_changed":false,"show_custom_date":false,"custom_date":"","featured":false,"featured_image":0,"learn_more_label":"","image_alt_text":"","learn_more_type":"","show_popup":false,"learn_more_link_file":0,"event_date":false,"event_start_date":"","event_end_date":"","place_holder_image_url":"","post_reading_time":"8","notification_enabled":false,"notification_text":"","notification_logo":"","notification_expiration_time":0,"is_enable_transparent_header":false,"selected_taxonomy_terms":{"blog-category":[127],"blog-tag":[]},"selected_primary_terms":[],"learn_more_link":[],"featured_page_list":[],"notification_enabled_post_list":[],"_gspb_post_css":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"71501,4668,71369","_relevanssi_noindex_reason":"","inline_featured_image":false,"footnotes":""},"blog-category":[127],"blog-tag":[],"class_list":["post-4527","blog","type-blog","status-publish","has-post-thumbnail","hentry","blog-category-secops-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/users\/133"}],"version-history":[{"count":4,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4527\/revisions"}],"predecessor-version":[{"id":26892,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4527\/revisions\/26892"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/media\/25755"}],"wp:attachment":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/media?parent=4527"}],"wp:term":[{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-category?post=4527"},{"taxonomy":"blog-tag","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-tag?post=4527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}