Okta

A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating potential privileged access activity where threat actors may manipulate user accounts to gain higher access rights or persist within the environment.

This brief details detection of anomalous activity within the Okta Admin Console, potentially indicating privilege escalation, persistence, defense evasion, or initial access attempts by malicious actors.

Okta logs may contain user passwords if a user mistakenly enters their password into the username field during login, potentially exposing credentials in logs.

An Okta policy rule was modified or deleted, potentially weakening security controls.

An Okta network zone was deactivated or deleted, potentially indicating malicious activity aimed at bypassing security controls.

An adversary may create a rogue identity provider within Okta to establish persistence and potentially escalate privileges by impersonating legitimate users or bypassing multi-factor authentication.

Detection of new user account creation in Okta, which could indicate malicious activity related to credential access.

This alert detects when Okta's ThreatInsight identifies a security threat within an Okta environment, potentially indicating command and control activity.

Detection of new admin role assignments in Okta, potentially indicating privilege escalation or persistence attempts by malicious actors.

An Okta end-user reports potentially suspicious activity on their account, indicating possible compromise or unauthorized access.

A machine learning job has identified an unusual spike in Okta group lifecycle change events, indicating potential privilege escalation activity, where adversaries may be altering group structures to escalate privileges, maintain persistence, or facilitate lateral movement within an organization’s identity management system.

A machine learning job has identified a user performing privileged operations in Okta from an uncommon source IP, indicating potential privileged access activity indicative of account compromise or privilege escalation.

Detection of multiple device token hashes and source IPs for a single Okta session, indicating potential session hijacking and unauthorized access to Okta resources.

Attackers use proxy infrastructure to mask their origin when using stolen Okta credentials, and this rule correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the same user.

An Okta policy was modified or deleted, potentially indicating unauthorized changes to security configurations within the Okta identity management platform by a malicious actor or insider.

An attacker attempts to disable or reset multi-factor authentication (MFA) for a user account in Okta, potentially leading to unauthorized access and account compromise.

A machine learning job has identified an unusual spike in Okta group privilege change events, indicating potential privileged access activity where attackers might be elevating privileges by adding themselves or compromised accounts to high-privilege groups, enabling further access or persistence.

A machine learning job identified a spike in Okta group application assignment changes, potentially indicating threat actors escalating privileges, maintaining persistence, or moving laterally by assigning applications to groups.

Okta FastPass detected and prevented a phishing attempt, indicating a user was likely targeted with a credential harvesting attack.

Attackers may modify or delete Okta application sign-on policies to weaken security controls, potentially leading to unauthorized access and data breaches.

Detects when an Okta application is modified or deleted, potentially indicating unauthorized changes or removal of critical applications.

Detection of Okta API token revocation events, indicating potential unauthorized access or compromise.

Detection of Okta API token creation events which can indicate malicious persistence activity.

Detects the assignment of an Okta administrator role to a user or group, potentially indicating privilege escalation or persistence attempts by malicious actors.

Detection of Okta user sessions initiated through anonymizing proxy services, potentially indicating malicious activity or attempts to evade security controls.

Detection of an Okta user account lockout, which may indicate brute-force attempts or other malicious activity targeting user accounts.

A machine learning job detected a user performing privileged operations in Okta from an uncommon device, potentially indicating a compromised account or insider threat attempting privilege escalation.

A machine learning job has identified an unusual spike in Okta group membership events, indicating potential privileged access activity where attackers or malicious insiders might be adding accounts to privileged groups to escalate their access, potentially leading to unauthorized actions or data breaches.