{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/application-security/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta"],"_cs_severities":["medium"],"_cs_tags":["okta","application-security","identity-management"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis alert detects modifications or deletions of applications within the Okta identity and access management platform. While the specific actor is unknown, the modification or deletion of an application can lead to significant disruptions and potential security breaches. The activity is detected through Okta system logs that record application lifecycle events. This is crucial for defenders because unauthorized changes to applications can lead to privilege escalation, data breaches, or denial of service. Monitoring these events allows for prompt investigation and mitigation of potentially malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to an Okta administrator account.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Okta admin console.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the Applications section in the Okta admin console.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target application for modification or deletion.\u003c/li\u003e\n\u003cli\u003eIf modifying, the attacker alters application settings such as permissions, user assignments, or SSO configurations.\u003c/li\u003e\n\u003cli\u003eIf deleting, the attacker initiates the application deletion process.\u003c/li\u003e\n\u003cli\u003eOkta logs the \u0026ldquo;application.lifecycle.update\u0026rdquo; or \u0026ldquo;application.lifecycle.delete\u0026rdquo; event.\u003c/li\u003e\n\u003cli\u003eThe change impacts end-users and their ability to access resources through the modified or deleted application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of unauthorized application modification or deletion can be significant. Modified applications can grant unintended access to sensitive resources, leading to data breaches or privilege escalation. Deleted applications disrupt user access and business operations, potentially causing significant downtime and financial losses. The scope of the impact depends on the criticality of the affected application and the extent of the unauthorized changes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003eapplication.lifecycle.update\u003c/code\u003e or \u003ccode\u003eapplication.lifecycle.delete\u003c/code\u003e events in Okta logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts for unexpected application modifications or deletions, focusing on the user account that initiated the change (source: Okta logs).\u003c/li\u003e\n\u003cli\u003eReview Okta administrator account access and enforce multi-factor authentication to prevent unauthorized access (reference: Okta documentation on security best practices).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-okta-app-modified-deleted/","summary":"Detects when an Okta application is modified or deleted, potentially indicating unauthorized changes or removal of critical applications.","title":"Okta Application Modified or Deleted","url":"https://feed.craftedsignal.io/briefs/2024-01-03-okta-app-modified-deleted/"}],"language":"en","title":"CraftedSignal Threat Feed — Application-Security","version":"https://jsonfeed.org/version/1.1"}