User Activity Anomaly Insights Explained

11/2022 - rev 1

Overview

Oort provides insights into anomalous user behavior for both Azure AD and Okta platforms. The intention is to highlight unusual activity that may be indicators of either privilege escalation or other invasive / evasive tactics used by threat actors within an environment.

The anomalous behavior can include a variety of different actions. This articles provides an understanding of the different categories.

The core criteria to trigger this insight is the following:

  • A user performing an administrative action (defined below) that they have not previously done over the past 90 days
  • A user taking a high velocity of administrative actions in a short period of time (configurable, see below)

Configuration

For the second bullet above related to high velocity admin actions, the default configuration is 10 targets or objects (users, groups, devices) in 10 minutes. This is configurable in the Insight details.

2022 11 22 08 06 41

Okta User Anomaly Categories

For Okta, the insight details are based on events that are consumed via the Okta System Log. The specific attribute referenced is the Okta eventType.

Because Okta presents a large number of event types, Oort aggregates similar or related events into different categories of actions.

Each of these categories represent actions that, when taken by users who do not normally perform them, should be reviewed by the Security team.

Category Event types
okta_custom_admin_role_operations 'iam.role.create', 'iam.role.delete', 'iam.role.permissions.delete', 'iam.role.permissions.add', 'iam.resourceset.bindings.add', 'iam.resourceset.bindings.delete'
okta_resourceset_operations 'iam.resourceset.create', 'iam.resourceset.delete', 'iam.resourceset.resources.add', 'iam.resourceset.resources.delete'
okta_device_operations 'device.enrollment.create', 'device.lifecycle.activate', 'device.lifecycle.deactivate', 'device.lifecycle.delete', 'device.lifecycle.suspend', 'device.lifecycle.unsuspend'
okta_admin_role_operations 'group.privilege.grant', 'user.account.privilege.grant', 'group.privilege.revoke', 'user.account.privilege.revoke'
okta_api_token_operation 'system.api_token.create', 'system.api_token.revoke'
okta_application_operations 'application.lifecycle.update', 'application.lifecycle.delete', 'application.lifecycle.deactivate'
okta_application_sign_on_policy_operations 'zone.deactivate', 'zone.delete', 'zone.remove_blacklist'
okta_policy_operations 'policy.lifecycle.update', 'policy.lifecycle.delete', 'policy.lifecycle.overwrite', 'policy.lifecycle.deactivate'
okta_policy_rule_operations 'policy.rule.update', 'policy.rule.delete', 'policy.rule.deactivate'
rare_mfa_operations 'user.mfa.factor.update', 'system.mfa.factor.deactivate', 'user.mfa.attempt_bypass', 'user.mfa.factor.deactivate', 'user.mfa.factor.reset_all'
okta_account_session_impersonation 'user.session.impersonation.extend', 'user.session.impersonation.grant', 'user.session.impersonation.initiate', 'user.session.impersonation.end', 'user.session.impersonation.revoke'
okta_config_management 'security.authenticator.lifecycle.activate', 'security.authenticator.lifecycle.activate', 'security.authenticator.lifecycle.deactivate', 'security.authenticator.lifecycle.update', 'security.device.temporarily_disable_blacklisting', 'security.threat.configuration.update', 'security.request.blocked', 'security.zone.make_blacklist', 'security.zone.remove_blacklist'

Azure AD User Anomaly Categories

For Azure AD environments, the Insight is based on events collected from Azure AD Directory Audits.

Specifically, the category field from the directoryAudit resource type is referenced and presented in Oort events and notifications for this check.

Category: Indicates which resource category that's targeted by the activity. For example: UserManagement, GroupManagement, ApplicationManagement, RoleManagement.

2022 11 29 21 48 04

Recommendations for User Activity Anomaly Events

From a security and governance perspective, anomalous user activity involving administrative actions - either rare actions or actions taken in bulk against a large number of objects - should be reviewed and confirmed with either -

  1. Known normal behavior for that end user within the platform
  2. A service ticket, request, or temporary privilege escalation that explains and justified the actions taken

Either within the Checks tab for an individual user failing this Insight or within Slack (shown below) or Teams notifications, the event can be marked as Interesting or Normal Behavior to log the result of the review within the Oort platform.

Interesting and Normal Behavior feedback events are reviewed by the Oort Product and Engineering team to enhance the accuracy of the platform.

2022 11 29 21 58 33