Defending Against Valid Account Threats: A Holistic Workflow with CrowdStrike, Okta, Elastic, and Recorded Future

As organizations seek to bolster their cyber defense strategies, the MITRE ATT&CK framework has emerged as a valuable resource for understanding and categorizing real-world threats. This globally-accessible knowledge base offers a comprehensive and structured approach to enumerating the tactics, techniques, and procedures (TTPs) used by adversaries. However, to truly harness the power of this framework, security teams must effectively operationalize it within their incident response workflows.

In this blog post, we’ll dive into how a D3 Smart SOAR playbook, tailored to the MITRE ATT&CK framework, can help organizations streamline their response to initial access attempts with valid accounts. We’ll discuss how this playbook integrates Elastic and Okta to classify incoming alerts and map them to their corresponding tactics, and uses CrowdStrike, Recorded Future and Okta to execute appropriate response actions. By leveraging the MITRE ATT&CK framework and powerful SOAR capabilities, security teams can proactively defend their environments and significantly enhance their incident response efforts.

The Alert: Failed Login Attempt

The event we’ll be looking at is a suspicious login attempt detected by Elasticsearch. The event data contains the source IP, source IP location, the IP and hostname of the target device, as well as the target username:

A suspicious login attempt detected by Elasticsearch as seen in Smart SOAR
The event playbook below processed the event and tagged it as an Initial Access: Valid Account threat.

Step 1: Determine Severity and Identify False Positives

The first stage of the event playbook used for this alert checks three things:

  1. Was the authentication attempt successful?
  2. Is it a legitimate user?
  3. Is it coming from an expected location?

If the login attempt was successful and is coming from an unexpected location, the playbook increases the severity to critical. If the login attempt was unsuccessful, the playbook checks Okta to see if the target user is a legitimate user in the company. If they are not, the playbook tags the alert as a false positive and dismisses it.

Smart SOAR playbook workflow to determine severity and identify false positives

Step 2: Tag the Tactic and Technique

Once the legitimacy of the user is verified, the playbook checks if the location of the request is expected or not and then increases or decreases the severity depending on the result. If it is not expected, the playbook also tags the event as an Initial Access: Valid Account threat.

Smart SOAR workflow to tag the tactic and technique as Valid Account (T1078)

Step 3: Enrichment

Once the event has been escalated into an incident, the enrichment stage is triggered:

Valid Account (T1078) Enrichment workflow in D3 Smart SOAR

The enrichment stage of the incident playbook collects device information from CrowdStrike, IP reputation scores from Recorded Future, and the target user’s groups from Okta.

Device Information from CrowdStrike as seen in D3 Smart SOAR

Device Information from CrowdStrike

Recorded Future OSINT as seen in D3 Smart SOAR

Recorded Future OSINT

Okta User Groups info as seen in D3 Smart SOAR

Okta User Groups

Step 4: Response

When enrichment is complete (this process takes 4-5 seconds from the point the incident is created), the playbook then checks to see if the target user is an administrator or not and checks the CrowdStrike IOC watchlist for the external IP. If the IP is not found, the playbook will add it to the watchlist. Also, if the user is not an administrator, it will close the incident.

Valid Account (T1078) threats response workflow in D3 Smart SOAR

In this case, the user is an administrator, so we’ve notified the analyst assigned to the ticket that there are response actions they can take. The actions they can choose from between Okta and CrowdStrike are:

  1. Block IP
  2. Reset user password
  3. Deactivate user
  4. Isolate the host

In this case we’ve chosen just to reset the user password.

Step 5: Post-Incident Activities

Since remediation actions were taken, the playbook generates an incident report and sends it to the management team. The report contains event artifacts, actions taken, and steps completed by the analyst and playbook.

Valid Account (T1078) threats post-incident workflow in D3 Smart SOAR

Initial Access incident report generated by D3 Smart SOAR

The total runtime for the event and incident playbook is 15 seconds, excluding the time spent waiting for the analyst to determine which response actions to take.


Organizations need to harness the power of the MITRE ATT&CK framework and SOAR capabilities to stay ahead of adversaries. The Smart SOAR playbook we’ve explored in this blog post demonstrates the potential to streamline incident response workflows by integrating Elastic, CrowdStrike, Okta, and Recorded Future. By rapidly processing and classifying alerts, enriching them with contextual information, and automating response actions, security teams can significantly reduce the time to detect and respond to threats.

The playbook’s ability to efficiently process initial access attempts with valid accounts showcases the importance of operationalizing the MITRE ATT&CK framework in incident response. By embracing this approach, organizations can enhance their overall cyber defense posture and be better prepared to face the challenges of modern cybersecurity threats.

Social Icon
Pierre Noujeim

Pierre Noujeim is a Product Marketing Manager with a cyber security engineering background. Having implemented SOAR at enterprise organizations as well as for D3's MSSP partners, Pierre has rich and varied insight into integrations, use cases and the cyber security vendor landscape. A dedicated product marketer, Pierre represents D3 at analyst briefings, webinar workshops and industry conferences such as RSA and Black Hat.