Search & Reporting
Dashboards
Alerts
Reports
/* KTLYST Artifact: LA-2026-0847-DET-003 */
/* Campaign: CAMP-2026-0847 (Scattered Spider) */
/* Approved: SOC Lead (M. Chen) — 3 min review — Mon 09:17:04 UTC */
/* Policy: IR Policy KL-202601-v1.0.2 | Approval: INC#998877 */
index=vpn sourcetype=vpn:auth
| join user [search index=iam sourcetype=okta:mfa action=reset]
| where _time_vpn - _time_mfa < 86400
| where NOT match(device_id, known_devices)
| eval risk_score=case(
geo_distance > 500, "CRITICAL",
geo_distance > 100, "HIGH",
1=1, "MEDIUM")
| table _time user src_ip device_id mfa_reset_time risk_score
4 events matched | Last 24 hours
MITRE: T1078, T1556
| _time | user | src_ip | device_id | mfa_reset_time | risk_score |
|---|---|---|---|---|---|
| 02/24 03:41:12 | jchen | 198.51.100.47 | UNKNOWN-9F2A | 02/23 14:22:08 | CRITICAL |
| 02/24 03:38:55 | jchen | 198.51.100.47 | UNKNOWN-9F2A | 02/23 14:22:08 | CRITICAL |
| 02/24 01:12:33 | mthompson | 203.0.113.88 | UNKNOWN-3C7D | 02/23 18:45:02 | HIGH |
| 02/23 22:07:19 | asingh | 192.0.2.156 | UNKNOWN-A1B3 | 02/23 16:11:44 | MEDIUM |
📝 KTLYST — VPN+MFA Correlation
×
+ New Worksheet
-- KTLYST Artifact: LA-2026-0847-DET-004
-- Campaign: CAMP-2026-0847 (Scattered Spider)
-- Approved: SOC Lead (M. Chen) — 3 min review — Mon 09:17:04 UTC
-- Policy: IR Policy KL-202601-v1.0.2 | Approval: INC#998877
-- Governance: Hash-verified, provenance-tracked
SELECT
vpn.user_id,
vpn.src_ip,
vpn.auth_time,
mfa.reset_time,
DATEDIFF('hour', mfa.reset_time, vpn.auth_time) AS hours_between,
vpn.geo_location,
vpn.device_enrolled
FROM security.vpn_auth vpn
JOIN security.mfa_events mfa
ON vpn.user_id = mfa.user_id
WHERE mfa.reset_method = 'helpdesk'
AND vpn.device_enrolled = FALSE
AND hours_between BETWEEN 0 AND 24
ORDER BY vpn.auth_time DESC;
Results (3 rows)
Execution time: 0.42s
| USER_ID | SRC_IP | AUTH_TIME | RESET_TIME | HOURS_BETWEEN | GEO_LOCATION | DEVICE_ENROLLED |
|---|---|---|---|---|---|---|
| jchen | 198.51.100.47 | 2026-02-24 03:41 | 2026-02-23 14:22 | 13 | Lagos, NG | FALSE |
| mthompson | 203.0.113.88 | 2026-02-24 01:12 | 2026-02-23 18:45 | 6 | Moscow, RU | FALSE |
| asingh | 192.0.2.156 | 2026-02-23 22:07 | 2026-02-23 16:11 | 5 | Bucharest, RO | FALSE |
MFA Reset — Voice Verification Required
Policy Configuration
Active
Description
Require voice call verification to registered phone before any MFA factor reset initiated via helpdesk ticket. Deployed per IR Policy KL-202601-v1.0.2. Approved by SOC Lead (M. Chen) via INC#998877. Campaign CAMP-2026-0847.
Trigger Condition
reset_method == "helpdesk_ticket" AND factor_type IN ("push", "totp", "sms")
Required Action
Voice call to registered phone number on file (pre-enrollment). User must confirm 6-digit code read aloud by system.
Bypass Exceptions
None — SOX Regulated
No Emergency Override
KTLYST Artifact ID
LA-2026-0847-IAM-001
Conditional Access Scope
Applied To
All users — All applications
Enforcement
Deny reset if voice verification fails after 3 attempts. Escalate to Security team. Log as SOX control event.
Audit
All reset attempts logged with KTLYST provenance chain. Exported to SIEM + GRC.
Dashboard
Threats
Email Rules
Quarantine
Reports
Transport Rules › Lookalike Domain Block
Block Lookalike Okta SSO Domains
LA-2026-0847-EML-005
Active
Description
Block inbound email containing links to lookalike Okta SSO domains used in Scattered Spider phishing campaigns. Deployed per IR Policy KL-202601-v1.0.2. Approved by SOC Lead (M. Chen) via INC#998877. Campaign CAMP-2026-0847.
Domain Patterns (Block)
*-okta-sso.*
*okta-verify.*
*oktaauth.*
*okta-mfa.*
*sso-okta.*
Also Blocking (Observed IOCs)
acme-okta-sso.com
okta-verify-login.net
corp-oktaauth.io
Actions
Quarantine Message
Notify User (phishing warning)
Alert Email Security Team
MITRE ATT&CK
T1566.002 — Spearphishing Link • T1583.001 — Acquire Infrastructure: Domains
Created: Mon 09:17:44 UTC • Last match: 3 messages quarantined
LA-2026-0847-EML-005
Hosts
Detections
Custom IOAs
IOCs
Response
Custom IOA Rules › Scattered Spider Stage-2 Loader
Scattered Spider Stage-2 Loader
Critical
Rule Type
Process Creation
Detection Pattern
// KTLYST Artifact: LA-2026-0847-EDR-002
// Campaign: CAMP-2026-0847 (Scattered Spider)
ImageFileName = "*\\powershell.exe"
AND
CommandLine = "*-enc*" OR CommandLine = "*-EncodedCommand*"
AND
NetworkConnection WITHIN 30s OF ProcessStart
AND
RemotePort IN (443, 8443, 4443)
Description
Detects PowerShell execution with encoded commands followed by outbound HTTPS connection within 30 seconds — consistent with Scattered Spider stage-2 loader behavior observed in CAMP-2026-0847. Blocks execution and isolates host.
Response Action
Block • Kill Process • Network Contain Host
MITRE ATT&CK
LA-2026-0847-EDR-002
Governance hash: sha256:7f3a2...e91c
IR-2026-0847
Playbook
P1 — Critical
Scattered Spider Response Playbook v1
Response Steps
1
Isolate Affected Endpoints
Network-contain hosts matching IOC pattern via CrowdStrike Falcon RTR. Priority: jchen workstation, any host with encoded PowerShell execution.
2
Revoke Compromised Sessions
Force session revocation for jchen, mthompson, asingh across Okta, VPN, and all SSO-linked applications. Disable accounts pending investigation.
3
Reset Affected MFA Factors
In-person identity verification required. New MFA enrollment with hardware token only. Voice verification policy now enforced (Artifact LA-2026-0847-IAM-001).
4
Hunt for Lateral Movement
Query Snowflake security lake for jchen credential usage across all systems. Check for privilege escalation, service account access, data exfiltration indicators.
5
Notify FS-ISAC
Share anonymized IOCs with Financial Services ISAC. Include domain patterns, behavioral signatures, and MITRE mapping per KTLYST export.
6
Executive Brief
Prepare executive brief for CISO: scope of compromise, containment status, SOX control gap identified, remediation timeline. KTLYST provenance chain attached. Approval: INC#998877.
Dashboard
Policy & Compliance
Risk
Audit
Vendors
Control Records › Helpdesk MFA Reset Verification
Helpdesk MFA Reset Verification
CTRL-2026-0847-001
Remediated
Control Objective
Ensure all MFA factor resets initiated through helpdesk channels require secondary identity verification (voice call) before processing.
Framework
SOX ITGC — Logical Access Controls
Gap Description
MFA reset for user jchen was completed by helpdesk agent via social engineering without voice verification. Attacker impersonated employee to reset MFA, enabling unauthorized VPN access.
Risk Rating
High
Remediation
Okta authentication policy enforced per IR Policy KL-202601-v1.0.2 — voice verification now required for all helpdesk-initiated MFA resets (KTLYST Artifact LA-2026-0847-IAM-001). Approved by SOC Lead (M. Chen) via INC#998877. No exceptions. SOX-regulated control.
KTLYST Artifact ID
LA-2026-0847-GRC-007
Validation Status
Remediated — pending external audit validation (Q2 2026)
KTLYST Audit Trail — Evidence Chain
Mon 09:14:22 UTC
Source ingested: FBI Flash Alert CU-000171-MW — Scattered Spider helpdesk social engineering TTP. Uploaded by J. Rivera (CTI Team). Source type: Direct warning.
Mon 09:14:38 UTC
Pattern extracted: MFA reset via helpdesk → VPN access from new device (behavioral signature)
Mon 09:15:01 UTC
Correlated: 5 source events across 5 teams linked to campaign CAMP-2026-0847
Mon 09:15:12 UTC
SOX gap identified: No voice verification control existed for helpdesk MFA resets
Mon 09:17:04 UTC
SOC Lead approved: M. Chen approved 7 artifacts in single review (3 min). Policy: IR Policy KL-202601-v1.0.2. Approval chain: INC#998877. Hash: sha256:7f3a2...e91c
Mon 09:17:44 UTC
Deployed: Okta policy enforced, control record created. 7 artifacts → 6 tools in 40 seconds.
Provenance Chain
Every artifact is governed. Every action is traceable. Try finding this audit trail in your current stack.
Active Campaign
CAMP-2026-0847
Scattered Spider — Helpdesk Social Engineering
Current Artifact
LA-2026-0847-IAM-001
T1556
T1199
Governance
Policy: IR Policy KL-202601-v1.0.2
Approver: SOC Lead (M. Chen)
Approval Chain: INC#998877
Hash: sha256:7f3a2...e91c
Classification: Confidential
Retention: 7 years (SOX)
Source
Report: FBI Flash Alert CU-000171-MW
Source Type: Direct warning
Uploaded by: J. Rivera (CTI Team)
Received: Mon 09:14:22 UTC
Deployment Chain
Source Ingested
FBI Flash Alert CU-000171-MW — Scattered Spider helpdesk social engineering TTP
Mon 09:14:22 UTC — uploaded by J. Rivera (CTI Team)
KTLYST Extracted Pattern
Behavioral signature: MFA reset via helpdesk + VPN from new device within 24h
Mon 09:14:38 UTC — 09:15:01 UTC
SOC Lead Approved
M. Chen reviewed 7 artifacts in single batch. 3-minute review. Approved all. Approval chain: INC#998877.
Mon 09:17:04 UTC (3 min review)
Deployed to Okta
Authentication policy active. Voice verification required for all helpdesk MFA resets. No exceptions. Per IR Policy KL-202601-v1.0.2.
Mon 09:17:44 UTC — 40s deployment
▼ Inputs — What Fed This Artifact
▲ Outputs — What This Artifact Triggers
All Campaign Artifacts