{"id":5403,"date":"2022-03-29T05:07:00","date_gmt":"2022-03-29T05:07:00","guid":{"rendered":"http:\/\/www.sumologic.com\/blog\/mind-your-single-sign-on-sso-logs"},"modified":"2026-04-07T15:36:34","modified_gmt":"2026-04-07T23:36:34","slug":"mind-your-single-sign-on-sso-logs","status":"publish","type":"blog","link":"https:\/\/www.sumologic.com\/blog\/mind-your-single-sign-on-sso-logs","title":{"rendered":"Mind your Single Sign-On (SSO) logs"},"content":{"rendered":"\n<section class=\"e-stn e-stn-0d652506f82b000a392973813b918ee25d5b4211 e-stn--glossary-inner-content e-stn--table-of-content\"><div class=\"container\">\n<div class=\"wp-block-b3rg-row e-row row\">\n<div class=\"wp-block-b3rg-column e-col e-col-1f7b3997080fc292474d26ff00c905d99d3520fa e-col--content-wrapper  col-sm-12 col-lg-12 col-xl-12\">\n<div class=\"e-div e-div-a1b32f66e1749758df41d5aea14f647cd10e362c e-div--card-btn-link\">\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-e87131f0c243d916bdf9350bea0a9871\" id=\"recommendations_on_sso_monitoring_in_light_of_the_recent_okta_breach\">Recommendations on SSO monitoring in light of the recent Okta breach<\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-ff06865b8e5f78af0566b86976bc33a4\">The news that hacking group <a href=\"https:\/\/www.wired.com\/story\/okta-hack-microsoft-bing-code-leak-lapsus\/\" target=\"_blank\" rel=\"noopener\">Lapsus$<\/a> gained unauthorized access to Single Sign-On (SSO) provider Okta through a third-party support account sent chills through information security professionals everywhere. Organizations have adopted SSO identity providers to enable a modern workforce that is increasingly reliant on secure access to cloud-hosted applications to perform critical business functions. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-9d5ba917d3ec4906bf8738dcd185d637\">Every organization should understand the <a href=\"https:\/\/www.sumologic.com\/blog\/okta-evolving-situation-am-i-impacted\/\">risks associated<\/a> with moving critical authentication services to 3rd party providers and ensure sufficient controls are implemented to minimize the risk to an acceptable level. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-ee58198c5be467c7008f29a78cce5032\">We have a few other thoughts on this matter, hold on while we find a soapbox\u2026<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-f8c32dad01819e77378f56af75b3dd70\">The message we want to communicate is clear: If your organization uses a cloud-hosted SSO provider, you must have a monitoring, detection and response strategy tailored to your SSO infrastructure. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-aa634e06a6e2a2e3506e9df07df5fe90\">Look, we get it. The Sumo Logic Threat Labs and Global Operations Center (GOC) teams have been in your shoes before. We understand what it\u2019s like to be caught without the right logs, struggled to interpret a new log source and spent countless hours pondering how to distill the nuanced signals of an intrusion. At Sumo Logic, one of our <a href=\"https:\/\/www.sumologic.com\/company\/about-us\/\">core values<\/a> is \u201cIn it with our customers.\u201d We will take it a step further and add \u201cIn it with our customers and the security community.\u201d You need a strategy, and at the risk of sounding cliche, \u201cthe best time to start was yesterday, the next best time is now.\u201d <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-850b11eaa8ed8d9a4b07950f75f99931\">The goal of this blog is to provide the building blocks for developing a strategy for monitoring, detecting and responding to activity within your SSO infrastructure. Let\u2019s go! <\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-8b9745b7efdbbe3b4bf9045e3c7c8503\" id=\"first_things_first\">First things first<\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-0ee5b68a45ffd25bfd51ceb85ef6e0db\">If you are using Okta, OneLogin, Ping Identity, Microsoft Azure Active Directory (AD) or any other SSO identity provider and are not sending the logs to a <a href=\"https:\/\/www.sumologic.com\/guides\/siem\" data-type=\"resource\" data-id=\"3026\">SIEM<\/a> or log management platform, stop reading this. Go and enable logging (make sure you double check the log levels) and forward them to your SIEM or log management system immediately.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1d644b812a32cba5a3f4711c1a652f30\">Most identity providers will retain logs for some period of time but forwarding these critical events to a secure, long-term storage solution, like <a href=\"https:\/\/www.sumologic.com\/solutions\/cloud-siem-enterprise\/\">Sumo Logic Cloud SIEM<\/a> or other relevant platforms, is highly recommended. <\/p>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-992ef0c97dccbef172658f21f021659d\" id=\"general_sso_configuration_hygiene\">General SSO configuration hygiene<\/h3>\n\n\n\n<ul>\n<li>Enforce Multi-Factor Authentication (MFA) as part of the authentication process; FIDO hard tokens are the most secure, mobile push notifications are the next best option but are increasingly under attack. SMS codes are considered the least secure but are better than nothing at all.<\/li>\n<li>Review additional security features that can be enabled (some at no cost, others require a subscription) to provide additional layers of security, such as Okta\u2019s ThreatInsight or Azure Active Directory (AD) Identity Protection.<\/li>\n<li>If your SSO provider offers a built-in setting to disable support access, you should disable access, only enabling it when support is required.<\/li>\n<li>Validate that logging is enabled and set to the appropriate log level. (Yes, for some SSO vendors logging can be configured at various levels or verbosity)<\/li>\n<li>Send logs to a SIEM or log management tool (did we emphasize this enough yet?). Ensure log retention meets regulator or organizational requirements. <\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-5fe13c216468e403559b15225843d528\" id=\"getting_real_on_detections:_you_need_a_strategy\">Getting real on detections: you need a strategy<\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-4392780334798b01ba73a6d191def237\">Before we dive into some of the attack paths we\u2019ve observed and some useful and clever searches that can be used to monitor and investigate SSO logs, let&#8217;s first discuss how an organization can actually detect a successful attack against its SSO infrastructure. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-194f8d4bc126b2ccf508d9949754f201\">The first thing that should be acknowledged is this: there is no \u201csmoking gun\u201d search, alert or single detection that indicates an account has been compromised. Visibility into all things (increasingly cloud) and understanding how to baseline behavior and surface anomalies is critical for defenders. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-80edf9078c49a16d142967e91abdfebe\">To oversimplify our approach, we risk rate notable activity by each entity within a time window. This allows us to look for \u201cclusters\u201d of notable events that, when considered in aggregate, are more likely to identify malicious activity.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1792e40d4f4dba885255bbfbe94f310e\">For example, observing a single SSO account with a password reset is a notable event, but when considered on its own, does not necessarily suggest a compromise has occurred. However, if we observe the same SSO account with anomalous MFA push notifications, a password reset, an MFA reset and some unusual SSO application access, well that is certainly more interesting. <\/p>\n\n\n\n<blockquote class=\"pull\">\n<p>Tip: Some events happen so infrequently, and with the potential to have significant security ramifications if missed, that we suggest setting up alerts or notifications to a group or distribution list of key stakeholders via email, Slack, Microsoft Teams or directly through your SIEM for immediate awareness. Notifying a group of stakeholders reduces the likelihood of a potentially critical event going unnoticed.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-9ecd944708d5bf410b8db8b9da598d96\">Some examples are below:<br><\/p>\n\n\n\n<ul>\n<li>Account granted SSO Administrator privileges<\/li>\n<li>External support access to SSO environment<\/li>\n<li>Password or MFA reset activity by unexpected accounts<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-5e76fb6540bf45e029fc5b869a1f8a24\" id=\"example_attack_paths\">Example attack paths<\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-6e54746b3ee12bae1e5c6f155c77b095\">Below, we\u2019ll attempt to walk through some of the attack paths an attacker might take to attack your organization via SSO. Remember that the below searches are best used for general SSO security monitoring, investigations or feeding an entity risk score for risk aggregation, like Sumo\u2019s Cloud SIEM.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-fac5f298694cfc37d25718f4769a9dc8\">The searches we provide throughout the blog are based on Okta logs but can be easily updated for use against any SSO provider log. <\/p>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-797c94434bb7ff12c42ebb3a36d6afa6\" id=\"supply_chain_\">Supply chain <\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1dabff7bbf7e3797cd56b78c04a9fb25\">An attacker that manages to compromise any SSO provider directly and subsequently uses that to access or manipulate customer environments would fall under a supply chain attack. Defenders should monitor for unusual or unexpected access from the SSO provider.<\/p>\n\n\n\n<h4>Unexpected SSO provider service access<\/h4>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d924b1fe8a7ffcf0d7f8ab531059d7ce\">In the example below, we\u2019ll use the Continuous Intelligence Platform\u2122 (CIP) to search for any activity from Okta accounts that should be further investigated. <\/p>\n\n\n\n<div class=\"divcode2\">\n_sourceCategory=*okta* @okta.com <br \/>\n| json field=_raw &#8220;eventType&#8221;<br \/>\n| json field=_raw &#8220;displayMessage&#8221;<br \/>\n| json field=_raw &#8220;outcome.result&#8221; as outcome<br \/>\n| json field=_raw &#8220;actor.type&#8221;<br \/>\n| json field=_raw &#8220;actor.alternateId&#8221; as act_id<br \/>\n| json field=_raw &#8220;actor.displayName&#8221;<br \/>\n| json field=_raw &#8220;target[0].alternateId&#8221; as target_id<br \/>\n| json field=_raw &#8220;target[0].displayName&#8221; as target_Name<br \/>\n| where act_id != &#8220;system@okta.com&#8221;<br \/>\n| count eventType,displayMessage,outcome,act_id,target_id\n<\/div>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-64eba6f840d53c849ada85fe8cc23e87\">The next search (which we would advise be set up to generate an alert when seen) indicates that a <strong>session impersonation event<\/strong> has occurred. This should only occur if Okta administrative access has been requested by an organization. <\/p>\n\n\n\n<div class=\"divcode2\">\n_sourceCategory=*okta* &#8220;user.session.impersonation.initiate&#8221;<br \/>\n| json field=_raw &#8220;actor.alternateId&#8221; as user <br \/>\n| json field=_raw &#8220;outcome.result&#8221; as result<br \/>\n| json field=_raw &#8220;outcome.reason&#8221; as outcome<br \/>\n| json field=_raw &#8220;eventType&#8221; as event<br \/>\n| json field=_raw &#8220;client.userAgent.rawUserAgent&#8221; as user_agent<br \/>\n| json field=_raw &#8220;client.userAgent.os&#8221; as os<br \/>\n| json field=_raw &#8220;client.ipAddress&#8221; as srcIP\n<\/div>\n<h4>Anomalous password resets<\/h4>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-65aea76f97c50c6bebb914ef41dec00f\">An attacker might also reset user passwords or reset MFA. Looking for instances where unusual accounts are resetting passwords or MFA might warrant further analysis.<\/p>\n\n\n\n<div class=\"divcode2\">\n_sourceCategory=*okta* &#8220;user.account.reset_password&#8221; OR &#8220;user.mfa.factor.deactivate&#8221; OR &#8220;user.mfa.factor.reset_all&#8221;<br \/>\n| json field=_raw &#8220;eventType&#8221;<br \/>\n| json field=_raw &#8220;published&#8221; as time<br \/>\n| json field=_raw &#8220;displayMessage&#8221;<br \/>\n| json field=_raw &#8220;outcome.result&#8221; as outcome<br \/>\n| json field=_raw &#8220;actor.type&#8221;<br \/>\n| json field=_raw &#8220;actor.alternateId&#8221; as act_id<br \/>\n| json field=_raw &#8220;actor.displayName&#8221;<br \/>\n| json field=_raw &#8220;target[0].alternateId&#8221; as target_id<br \/>\n| json field=_raw &#8220;target[0].displayName&#8221; as target_Name<br \/>\n| where act_id != target_id<br \/>\n\/\/| where !(act_id matches &#8220;&lt;expected user&gt;&#8221; OR act_id matches &#8220;*expected user&gt;*&#8221;)<br \/>\n| count time,eventType,displayMessage,outcome,act_id,target_id\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-d270cc659545d9bdb95967fad65805b5\" id=\"credential_theft\">Credential theft<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-3fa1e184b4e05845d48e02626266aed7\">The attacks you are most likely to see are attacks against employee credentials, typically in the form of phishing, password spray attacks and MFA fatigue attacks.<\/p>\n\n\n\n<h4>Password spray attacks<\/h4>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-74e8bdaf704ab39dc9e56d383d9de03c\">Password spray attacks can take many forms\u2014and security teams should keep an eye for the signs of an ongoing password spray attack. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-695aa9cfdefa3f825c0b799b21e31930\"><strong>General awareness &#8211; deviations in failed logins<\/strong><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-5d9e0c3ce14dd31eb756ff3ed7bea34e\">It\u2019s not a bad idea to keep an eye on spikes or baseline deviations in failed logins to your SSO provider. Establish a baseline of unique accounts with failed logins to your SSO and look for outliers. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-3c7a98c9360c24e3771b8cca76b97fc9\">This may help identify low and slow password spray attacks and provides a decent 10,000-foot view of attacks or probes against your SSO.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-bcf684b41a88b0e7a99a42951dbbf58d\"><strong>High volume password spray<\/strong><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-516cb7ad9ed3a6338141001480a91d1e\">One of our favorite ways to identify active password spray attacks is to look for a spike in SSO failed logins sourcing from the same ASN. Attackers can change the source of their password spray easily, so building your search around a source IP is too narrow.  We\u2019ve found grouping by the source ASN and putting a 30 or 60-minute time window around it is the sweet spot.<\/p>\n\n\n\n<div class=\"divcode2\">\n_sourceCategory=&lt;SSO SOURCE&gt; (failure AND &#8220;user.session.start&#8221;)<br \/>\n| json field=_raw &#8220;actor.alternateId&#8221; as user <br \/>\n| json field=_raw &#8220;eventType&#8221; as event<br \/>\n| json field=_raw &#8220;client.userAgent.rawUserAgent&#8221; as user_agent<br \/>\n| json field=_raw &#8220;client.userAgent.os&#8221; as os<br \/>\n| json field=_raw &#8220;client.ipAddress&#8221; as srcIP<br \/>\n| timeslice 30m<br \/>\n| lookup asn, organization from asn:\/\/default on ip=srcIP<br \/>\n| lookup country_name from geo:\/\/location on ip=srcIP<br \/>\n| values(user) as users,values(user_agent) as UA, count_distinct(user) as dist_users by organization,ASN,_timeslice,users,UA,country_name<br \/>\n| where dist_users &gt; 10\n<\/div>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-f1c95292a4bc11c4d8576aabb47441f5\">Another way to look at authentication failures:<\/p>\n\n\n\n<div class=\"divcode2\">\n_source=&#8221;SSO Source&#8221; &#8220;failure&#8221; !(&#8220;radius&#8221;)<br \/>\n| json field=_raw &#8220;request.ipChain[0].ip&#8221; as request_ip nodrop<br \/>\n| json field=_raw &#8220;request.ipChain[0].geographicalContext.country&#8221; as request_country nodrop<br \/>\n| json field=_raw &#8220;request.ipChain[0].geographicalContext.state&#8221; as request_state nodrop<br \/>\n| json field=_raw &#8220;target[0].type&#8221; as target_0_type nodrop<br \/>\n| json field=_raw &#8220;target[*].alternateId&#8221; as target_altid nodrop<br \/>\n| json field=_raw &#8220;target[0].alternateId&#8221; as target0_altid nodrop<br \/>\n| json field=_raw &#8220;target[1].alternateId&#8221; as target1_altid nodrop<br \/>\n| json field=_raw &#8220;actor.alternateId&#8221; nodrop<br \/>\n| json field=_raw &#8220;client.ipAddress&#8221; nodrop<br \/>\n| json field=_raw &#8220;outcome.result&#8221; as result nodrop<br \/>\n| json field=_raw &#8220;securityContext.asNumber&#8221; as asn nodrop<br \/>\n| json field=_raw &#8220;securityContext.asOrg&#8221; as asn_org nodrop<br \/>\n| json field=_raw &#8220;securityContext.isp&#8221; as isp nodrop<br \/>\n| json field=_raw &#8220;client.userAgent.rawUserAgent&#8221; as user_agent nodrop<br \/>\n\/\/| where !(asn_org matches \u201c*[Your Organizations ASN]*\u201d )<br \/>\n| timeslice 30m<br \/>\n| values(target_altid) as users,values(asn_org) as asn_org,values(request_country) as country,count_distinct(target_altid) as target_count, count group by request_ip,user_agent,_timeslice<br \/>\n| where target_count &gt; 10\n<\/div>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-9b4762d6173a2ff69f9a9fd4ef0c8588\">Expanding the search to look for spikes in failed logins over a short time window (10 minutes) can also prove useful but can sometimes generate false positives. Think Monday morning when everyone is first logging in or after a holiday break and no one can remember their password. <\/p>\n\n\n\n<h4>MFA push notification fatigue<\/h4>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-dc053a6aa93afe61cae70f6f38b4ab3a\">Adding an additional layer of security on top of SSO is recommended, and the most common method for doing this is in the form of push notifications. Once valid credentials have been provided to the SSO platform, an MFA push notification will be sent to a pre-enrolled device that requires accepting or acknowledging the attempt to complete the login process.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-98aba9558910a4e2b819cefcfa1490b8\">Once an attacker has a username and password, they can attempt to initiate a logon with the hope that the victim unknowingly or unintentionally acknowledges the push notification. Believe us when we tell you that this happens more often than you think!<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d2d5c240275cabe04257b85d5e7355bd\">To increase their chance of success, attackers will flood or spam victims with push notifications. Okta published a great <a href=\"https:\/\/sec.okta.com\/everythingisyes\" target=\"_blank\" rel=\"noopener\">blog<\/a> on this attack technique in early March 2022. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1bd420c2f2c7f5c6256ed27f118d1a92\">We\u2019ve adapted their detection for use in Sumo\u2019s CIP:<\/p>\n\n\n\n<div class=\"divcode2\">\n_source=&lt;SSO LOG SOURCE&gt; (user.authentication.auth_via_mfa or OKTA_VERIFY_PUSH)<br \/>\n| json field=_raw &#8220;outcome.result&#8221; as result<br \/>\n| json field=_raw &#8220;actor.alternateId&#8221; as user<br \/>\n| timeslice 10m<br \/>\n| if(result=&#8221;SUCCESS&#8221;,1,0) as success| if(result=&#8221;FAILURE&#8221;,1,0) as failure<br \/>\n| count as total_pushes,sum(success) as success, sum(failure) as failure by user,_timeslice<br \/>\n| failure\/total_pushes as push_fail_ratio<br \/>\n| &#8220;No Finding&#8221; as finding<br \/>\n| if(failure=total_pushes AND total_pushes&gt;1,&#8221;Authentication attempts not successful because multiple pushes denied&#8221;,finding) as finding<br \/>\n| if(total_pushes=0,&#8221;Multiple pushes sent and ignored&#8221;,finding) as finding    <br \/>\n| if(success&gt;0 AND total_pushes&gt;3,&#8221;Multiple pushes sent, eventual successful authentication!&#8221;,finding) as finding<br \/>\n| if(push_fail_ratio&gt;.1,&#8221;High push fail Ratio with successful login detected&#8221;,finding) as finding<br \/>\n| where finding = &#8220;High push fail Ratio with successful login detected&#8221; and total_pushes &gt; 1\n<\/div>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a401fa8bd453b035d157d66d1f3dc433\">This search will identify instances where an account has been observed with a high number of push notifications sent with multiple failures with at least one successful login.<\/p>\n\n\n\n<h4>Post SSO compromise activity<\/h4>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-3cc404c427cfff1093e7f6d43c30194d\">Once an attacker steals credentials and successfully gets a victim to accept a push notification, they have some form of access to the organization and its data. We\u2019ve observed attackers performing a variety of actions following initial access, which we will discuss below. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-94c1566c276f4eaa2b7c46b3676880fd\">Please note that any results that may return from the below searches do not indicate a compromise has occurred and should be considered in aggregate with other events of interest associated with the account in question.<\/p>\n\n\n\n<h4>Interesting MFA and password reset activity<\/h4>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-ae09c8dffb4fe1b7a36b4c76652d0764\">If an attacker has managed to compromise an SSO account, they might reset the account password and update and take control of the victim\u2019s MFA. The below CIP search is also looking at Okta data and identifying any accounts that have had both an MFA update and password reset event within a specified time window.<\/p>\n\n\n\n<div class=\"divcode2\">\n_source=&lt;SSO LOG SOURCE&gt; (user.account.reset_password or user.mfa.factor.update)<br \/>\n| json field=_raw &#8220;eventType&#8221; as action<br \/>\n| if(action matches&#8221;*reset_password*&#8221;,1,0) as reset_password<br \/>\n| if(action matches&#8221;*user.mfa.factor.update*&#8221;,1,0) as user_mfa_factor_update<br \/>\n| json field=_raw &#8220;actor.alternateId&#8221; as user<br \/>\n| json field=_raw &#8220;target[*].alternateId&#8221; as target_user \/\/identifies target, rather than system@okta.com<br \/>\n| count, sum(user_mfa_factor_update) as user_mfa_factor_update, sum(reset_password) as reset_password by target_user<br \/>\n| where user_mfa_factor_update&gt;1 and reset_password&gt;1\n<\/div>\n<h4>Unusual SSO app access<\/h4>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1cfc195e0e5362ea3e575f67ae7d2569\">One of the behaviors that we often observe following initial access is the attacker exploring all of the applications the compromised account has access to. A user may have access to dozens of published applications, but usually, only access a small number of those apps daily.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d7e4a83f2c89dfb60de837bd82b8dfe9\">The behavior of normal user application access looks very different than an attacker who has just gained access to a victim\u2019s application portal SSO. Imagine the attacker drooling when they see SalesForce, GitHub, Confluence, Slack or PowerBI applications available for access! These applications are a goldmine and you can bet that an attacker will attempt to access as many of these applications as possible to discover what data they can steal.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-8fd3a5ee49f8f5d0bcca449d4a8e6176\"><strong>User application access deviation<\/strong><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-7374652e52387565dc289509b1020ef6\">Let\u2019s look for accounts that trigger a deviation for the number of distinct applications that are being accessed by an account. If a legitimate user normally accesses five apps a day, but we observe the account accessing 20 apps, that might be something worth noting.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c1a19da91be6ccb60f29693217922bd7\"><strong>Unauthorized app access attempts<\/strong><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-08f6e52bbd7781684afd678ab247ed34\">An attacker that is engaging in discovery activity using compromised SSO credentials will likely attempt to access applications that the account does not have the authorization to access. These violations will often have an associated log event, which can be useful for defenders attempting to identify suspicious activity. We can use another CIP search to identify accounts that have attempted to access multiple applications that the account is not authorized to access. <\/p>\n\n\n\n<div class=\"divcode2\">\n_sourceCategory=&lt;SSO LOG SOURCE&gt; (app.generic.unauth_app_access_attempt OR app.oauth2.as.authorize.scope_denied OR app.oauth2.client_id_rate_limit_warning OR app.oauth2.invalid_client_credentials OR app.oauth2.invalid_client_ids OR app.oauth2.token.detect_reuse)<br \/>\n| json field=_raw &#8220;actor.alternateId&#8221; as user <br \/>\n| json field=_raw &#8220;eventType&#8221; as event<br \/>\n| json field=_raw &#8220;target[0].displayName&#8221; as appName<br \/>\n| timeslice 3d<br \/>\n| values(appName) as appNames, values(event) as event_type, count_distinct(appName) as unique_count by user,_timeslice,appNames,event_type<br \/>\n| where unique_count &gt;=2\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-acafa72cdfe7e2590b1a7d8d476ac884\" id=\"summary\">Summary<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e3a06be7716a912db473d467e860856e\">Sumo Logic CIP makes easy work of slicing and dicing your SSO log data to identify potential signs of compromised credentials. Furthermore, Sumo Logic Cloud SIEM provides out-of-the-box security rules for normalized authentication log data and additional rules specific to SSO providers. Signals generated from these rules apply risk to entities, and Cloud SIEM automatically creates Insights if risk thresholds are exceeded. This provides customers with a powerful security solution they can easily adapt and custom tailor to their specific environment. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-378367465e886f0bfc2289eb223d3fb7\">The searches shared above can be used to create dashboards for daily review, trigger email alerts based on various parameters to notify your security team of activity of interest, or best of all, send an event to Sumo Logic Cloud SIEM to contribute to an entity risk model. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-8c2939e03bd55857289033b4c3993365\">To see for yourself, <a href=\"https:\/\/www.sumologic.com\/request-cloud-siem-enterprise-demo\/\">request a demo<\/a> of Sumo Logic Cloud SIEM today or reach out directly to Sumo Logic. <br><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-f90d968c5f6c951b499f76dcd1cf25e8\" id=\"about_us\">About us<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-b1ea68b9b70de6c20d4316aafd1a7f37\">Sumo Logic Threat Labs and Sumo Logic Global Operations Center (GOC) are two distinct organizations within Sumo Logic partnering to safeguard Sumo Logic&#8217;s customers, their data, and their organizations from emerging threats, inject security DNA throughout Sumo Logic, and contribute to the broader security community. We do this by monitoring threat activity to produce and distribute actionable intelligence, detection content and security guidance.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":305,"featured_media":0,"template":"","meta":{"_acf_changed":false,"show_custom_date":false,"custom_date":"","featured":false,"featured_image":0,"learn_more_label":"","image_alt_text":"","learn_more_type":"","show_popup":false,"learn_more_link_file":0,"event_date":false,"event_start_date":"","event_end_date":"","place_holder_image_url":"","post_reading_time":"10","notification_enabled":false,"notification_text":"","notification_logo":"","notification_expiration_time":0,"is_enable_transparent_header":false,"selected_taxonomy_terms":{"blog-category":[126,134,127,216],"blog-tag":[],"translation_priority":[]},"selected_primary_terms":{"blog-category":[]},"learn_more_link":[],"featured_page_list":[],"notification_enabled_post_list":[],"_gspb_post_css":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"4668,71369,71176","_relevanssi_noindex_reason":"","inline_featured_image":false,"footnotes":""},"blog-category":[126,216,127],"blog-tag":[],"class_list":["post-5403","blog","type-blog","status-publish","hentry","blog-category-cloud-siem","blog-category-platform","blog-category-secops-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/5403","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/users\/305"}],"version-history":[{"count":4,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/5403\/revisions"}],"predecessor-version":[{"id":71519,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/5403\/revisions\/71519"}],"wp:attachment":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/media?parent=5403"}],"wp:term":[{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-category?post=5403"},{"taxonomy":"blog-tag","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-tag?post=5403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}