Okta

This correlation identifies when a user exceeds a risk threshold based on multiple suspicious Okta activities by aggregating risk events from 'Suspicious Okta Activity,' 'Okta Account Takeover,' and 'Okta MFA Exhaustion' analytic stories, highlighting potentially compromised user accounts exhibiting multiple TTPs that could lead to unauthorized access, privilege escalation, or persistence.

UNC6671, operating under the "BlackFile" brand, conducts a sophisticated extortion campaign targeting organizations through voice phishing (vishing) and single sign-on (SSO) compromise, using adversary-in-the-middle (AiTM) techniques to bypass MFA and exfiltrate sensitive corporate data.

An adversary may create a rogue identity provider within Okta to establish persistence and potentially escalate privileges by impersonating legitimate users or bypassing multi-factor authentication.

Detection of new user account creation in Okta, which could indicate malicious activity related to credential access.

This alert detects when Okta's ThreatInsight identifies a security threat within an Okta environment, potentially indicating command and control activity.

Detection of new admin role assignments in Okta, potentially indicating privilege escalation or persistence attempts by malicious actors.

An Okta end-user reports potentially suspicious activity on their account, indicating possible compromise or unauthorized access.

Attackers use proxy infrastructure to mask their origin when using stolen Okta credentials, and this rule correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the same user.

This brief describes a detection for unauthorized application access attempts within an Okta environment, indicating a potential security breach or misconfiguration.

Okta FastPass detected and prevented a phishing attempt, indicating a user was likely targeted with a credential harvesting attack.

Attackers may modify or delete Okta application sign-on policies to weaken security controls, potentially leading to unauthorized access and data breaches.

Detects when an Okta application is modified or deleted, potentially indicating unauthorized changes or removal of critical applications.

Detection of Okta API token revocation events, indicating potential unauthorized access or compromise.

Detects the assignment of an Okta administrator role to a user or group, potentially indicating privilege escalation or persistence attempts by malicious actors.

Detection of Okta user sessions initiated through anonymizing proxy services, potentially indicating malicious activity or attempts to evade security controls.

Detection of an Okta user account lockout, which may indicate brute-force attempts or other malicious activity targeting user accounts.

Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.