RSS

Analyze Okta Log Events with a Falco Plugin

In March 2022, the cybercriminal group LAPSUS$ claimed to have breached Okta, the Identity Platform, only two months earlier, leaving their customers with the uncertainty of having been exposed as well. After a thorough investigation undertaken by their security team, Okta made public some details of this security incident.

Okta provides identity services for more than 15.000 companies. They guarantee that only legitimate personnel has access to networks and resources within their organization. This incident has raised once more the concern, that detecting suspicious events as soon as they occur within the organization is more necessary than ever.

Falco has always excelled as a threat detection engine observing activity on Linux servers and Kubernetes clusters. Since Falco 0.31 it is also possible to collect events from sources other than Kernel Syscalls and Kubernetes Audit logs. The number of sources can be extended to cover any stream of events. For more information read our blogs posts about it:

In this blog post, we'll introduce a new plugin created by the Falco Authors to collect Okta Log Events and be able to trigger alerts whenever suspicious events are detected.

Okta Plugin

Installation

As with any other plugin created by the Falco Authors, you will find a library already built for a Linux environment in this URL.

It is a good practice to download the stable version and install it in the directory /usr/local/share/falco/plugins.

Here are the steps to do so:

sudo mkdir -p /usr/local/share/falco/plugins
cd /tmp
wget https://download.falco.org/plugins/stable/okta-0.1.0-x86_64.tar.gz
tar xvzf okta-0.1.0-x86_64.tar.gz
sudo mv libokta.so /usr/local/share/falco/plugins

Configuration

To activate the plugin for Falco, add the following configuration inside the plugin section of the file /etc/falco/falco.yaml like this:

plugins:
  - name: okta
    library_path: /usr/local/share/falco/plugins/libokta.so
    init_config:
      organization: MYORG
      api_token: MY_API_TOKEN
    open_params: ''

And enable it in the load_plugins section of the same file:

load_plugins: [okta]

Be aware that loading a plugin disables the syscalls collection. You may need to run a different instance of Falco service aside to collect both.

Only the following custom settings are required:

Rules

Available fields

The plugin README lists all available fields to create your rules:

NameTypeDescription
okta.appstringApplication
okta.evt.typestringEvent Type
okta.evt.legacytypestringEvent Legacy Type
okta.severitystringSeverity
okta.messagestringMessage
okta.actor.idstringActor ID
okta.actor.TypestringActor Type
okta.actor.alternateidstringActor Alternate ID
okta.actor.namestringActor Display Name
okta.client.zonestringClient Zone
okta.client.ipstringClient IP Address
okta.client.devicestringClient Device
okta.client.idstringClient ID
okta.client.geo.citystringClient Geographical City
okta.client.geo.statestringClient Geographical State
okta.client.geo.countrystringClient Geographical Country
okta.client.geo.postalcodestringClient Geographical Postal Code
okta.client.geo.latstringClient Geographical Latitude
okta.client.geo.lonstringClient Geographical Longitude
okta.useragent.osstringUseragent OS
okta.useragent.browserstringUseragent Browser
okta.useragent.rawstringRaw Useragent
okta.resultstringOutcome Result
okta.reasonstringOutcome Reason
okta.transaction.idstringTransaction ID
okta.transaction.typestringTransaction Type
okta.requesturistringRequest URI
okta.principal.idstringPrincipal ID
okta.principal.alternateidstringPrincipal Alternate ID
okta.principal.typestringPrincipal Type
okta.principal.namestringPrincipal Name
okta.authentication.stepstringAuthentication Step
okta.authentication.sessionidstringExternal Session ID
okta.security.asnumberuint64Security AS Number
okta.security.asorgstringSecurity AS Org
okta.security.ispstringSecurity ISP
okta.security.domainstringSecurity Domain
okta.target.user.idstringTarget User ID
okta.target.user.alternateidstringTarget User Alternate ID
okta.target.user.namestringTarget User Name
okta.target.group.idstringTarget Group ID
okta.target.group.alternateidstringTarget Group Alternate ID
okta.target.group.namestringTarget Group Name

List of event types of interest

Okta Security Team also proposes a list of event types of interest.

User Events

EventType FilterNotes
eventType eq "user.session.start"User logging in
eventType eq "user.session.end"User logging out
eventType eq “policy.evaluate_sign_on”Sign in policy evaluation
eventType eq “user.account.lock”Okta user locked out
eventType sw "user.authentication.auth"All types of Auth events, covering MFA, AD, Radius, etc
eventType eq "user.account.update_password"User changing password
eventType eq "user.authentication.sso"User accesing app via single sign on
eventType eq "user.authentication.auth_via_mfa"MFA challenge
eventType eq "user.mfa.factor.update"User changing MFA factors

Okta Events

EventType FilterNotes
eventType eq "user.session.access_admin_appThese events are associated with users accessing the Admin section of your Okta instance
eventType eq "user.account.reset_password"User password reset by Okta Admin
eventType eq "zone.update"Modification of a Network Zone
eventType eq "user.account.privilege.grant"Granting Okta Admin to a user
eventType eq "group.user_membership.add"Adding Okta user to a group
eventType eq "application.user_membership.add"Adding user to application membership
eventType eq "policy.lifecycle.create"Creation of a new Okta Policy
eventType eq ”application.lifecycle.create”New Application created
eventType eq ”user.lifecycle.activate”New Okta user
eventType eq "application.provision.user.push"Assign application to user
eventType eq ”user.lifecycle.deactivate”Deactivate Okta user
eventType eq ”user.lifecycle.suspend”Suspend Okta user
eventType eq "user.session.clear"Okta user login session cleared
eventType eq "system.api_token.create"Creation of a new Okta API token
eventType eq “system.org.rate_limit.violation”Hitting the rate limit on requests
eventType eq “user.mfa.factor.deactivate”Removed MFA factor from user
eventType eq "user.mfa.factor.reset_all"Remove all MFA factors from user

Examples

We can now easily create Falco rules to detect possible threats, e.g.:

- rule: Adding user in OKTA group
  desc: Detect a new user added to an OKTA group
  condition: okta.evt.type = "group.user_membership.add"
  output: >
       "A user has been added in an OKTA group 
       (user=%okta.actor.name, 
       target group=%okta.target.group.name, 
       target user=%okta.target.user.name)"
  priority: NOTICE
  source: okta
  tags: [okta]
  
- rule: User accessing OKTA admin section
  desc: Detect a user accessing OKTA admin section of your OKTA instance
  condition: okta.evt.type = "user.session.access_admin_app"
  output: >
       "A user accessed the OKTA admin section of your OKTA instance
       (user=%okta.actor.name, ip=%okta.client.ip)"
  priority: NOTICE
  source: okta
  tags: [okta]

Notice the source: okta. It is mandatory to tell Falco these rules are related to the Okta plugin.

You can find the whole set of rules proposed by the Falco Authors among other rulesets in a PR in main Falco repository.

Run

Once the configuration and our rules are ready to be used, it's time to test it:

falco -c /etc/falco/falco.yaml -r /etc/falco/okta_rules.yaml

You should get this kind of results:

14:07:31.295984000: Notice A user has accessed an app using OKTA (user=Tony Stark, app=avengers_drive)
14:07:36.531283000: Notice A user has accessed an app using OKTA (user=Natasha Romanoff, app=shield_cloud)
14:08:24.077820000: Notice A user logged in OKTA from a suspicious country (user=Black Panther, ip=x.x.x.x, country=Wakanda)
14:09:22.064456000: Notice A user logged in OKTA from a suspicious country (user=Thanos, ip=x.x.x.x, country=Titan)

Conclusion

With the power of Falco and its new plugin framework, we've been able to consume events from a new source in just a few hours. This effort also aims to improve the observability of such an important element in the infrastructure of numerous organizations, as an Identity Provider like Okta is.

Falco keeps demonstrating that it is much more than a runtime security project. It can support organizations by enabling their security teams to quickly detect and respond whenever a security incident occurs.


You can find us in the Falco community. Please feel free to reach out to us for any questions, suggestions, or even for a friendly chat!

If you would like to find out more about Falco: