These are great to know no matter what, especially with what’s going on with what LAPSUS is showing us with Okta.
Here’s the Okta Event-Type catalog:
https://developer.okta.com/docs/reference/api/event-types/#catalog
| User Events: | |
| EventType Filter | Notes |
| eventType eq “user.session.start” | User logging in |
| eventType eq “user.session.end” | User logging out |
| eventType eq “policy.evaluate_sign_on” | Sign in policy evaluation |
| eventType eq “user.account.lock” | Okta user locked out |
| eventType sw “user.authentication.auth” | All types of Auth events, covering MFA, AD, Radius, etc |
| eventType eq “user.account.update_password” | User changing password |
| eventType eq “user.authentication.sso” | User accesing app via single sign on |
| eventType eq “user.authentication.auth_via_mfa” | MFA challenge |
| eventType eq “user.mfa.factor.update” | User changing MFA factors |
| eventType eq “system.mfa.factor.deactivate” | Identify when an admin has disabled a factor for MFA |
| eventType eq “Attempt bypass of factor” | Attempt bypass of factor |
| eventType eq “user.session.impersonation.initiate” | Initiate impersonation session |
| Okta Events: | |
| EventType Filter | Notes |
| eventType eq “user.session.access_admin_app | These events are associated with users accessing the Admin section of your Okta instance |
| eventType eq “user.account.reset_password” | User password reset by Okta Admin |
| eventType eq “zone.update” | Modification of a Network Zone |
| eventType eq “user.account.privilege.grant” | Granting Okta Admin to a user |
| eventType eq “group.user_membership.add” | Adding Okta user to a group |
| eventType eq “application.user_membership.add” | Adding user to application membership |
| eventType eq “policy.lifecycle.create” | Creation of a new Okta Policy |
| eventType eq ”application.lifecycle.create” | New Application created |
| eventType eq ”user.lifecycle.activate” | New Okta user |
| eventType eq “application.provision.user.push” | Assign application to user |
| eventType eq ”user.lifecycle.deactivate” | Deactivate Okta user |
| eventType eq ”user.lifecycle.suspend” | Suspend Okta user |
| eventType eq “user.session.clear” | Okta user login session cleared |
| eventType eq “system.api_token.create” | Creation of a new Okta API token |
| eventType eq “system.org.rate_limit.violation” | Hitting the rate limit on requests |
| eventType eq “user.mfa.factor.deactivate” | Removed MFA factor from user |
| eventType eq “user.mfa.factor.reset_all” | Remove all MFA factors from user |
Cloudflare investigated with these events:
user.account.reset_password
user.mfa.factor.update
system.mfa.factor.deactivate
user.mfa.attempt_bypass
user.session.impersonation.initiate
You can read about the Cloudflare investigation here:
https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise
NOTES:
- You can link events to sessions. For example: sessionId:trs2lk299ljajfa
- In all Okta activity, ipAddresses are recorded.
- Different types of events are captured by eventType.
- You may combine all of your eventTypes in the past to find uncommon occurrences.
- Search for eventType:app* in okta apps to check for abnormalities.
- Okta logs contain user agents that can lead to some interesting discoveries. If your company is Mac-based, why are you seeing a user agent that says Windows? (UserAgents can be altered, and operators can be lazy.)
Source:
https://github.com/OktaSecurityLabs/CheatSheets/blob/master/SecurityEvents.md