Okta

This brief details detection of anomalous activity within the Okta Admin Console, potentially indicating privilege escalation, persistence, defense evasion, or initial access attempts by malicious actors.

Okta logs may contain user passwords if a user mistakenly enters their password into the username field during login, potentially exposing credentials in logs.

An Okta network zone was deactivated or deleted, potentially indicating malicious activity aimed at bypassing security controls.

An adversary may create a rogue identity provider within Okta to establish persistence and potentially escalate privileges by impersonating legitimate users or bypassing multi-factor authentication.

Detection of new user account creation in Okta, which could indicate malicious activity related to credential access.

This alert detects when Okta's ThreatInsight identifies a security threat within an Okta environment, potentially indicating command and control activity.

Detection of new admin role assignments in Okta, potentially indicating privilege escalation or persistence attempts by malicious actors.

An Okta end-user reports potentially suspicious activity on their account, indicating possible compromise or unauthorized access.

Attackers use proxy infrastructure to mask their origin when using stolen Okta credentials, and this rule correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the same user.

This brief describes a detection for unauthorized application access attempts within an Okta environment, indicating a potential security breach or misconfiguration.

An Okta policy was modified or deleted, potentially indicating unauthorized changes to security configurations within the Okta identity management platform by a malicious actor or insider.

An attacker attempts to disable or reset multi-factor authentication (MFA) for a user account in Okta, potentially leading to unauthorized access and account compromise.

Okta FastPass detected and prevented a phishing attempt, indicating a user was likely targeted with a credential harvesting attack.

Attackers may modify or delete Okta application sign-on policies to weaken security controls, potentially leading to unauthorized access and data breaches.

Detects when an Okta application is modified or deleted, potentially indicating unauthorized changes or removal of critical applications.

Detection of Okta API token revocation events, indicating potential unauthorized access or compromise.

Detection of Okta API token creation events which can indicate malicious persistence activity.

Detects the assignment of an Okta administrator role to a user or group, potentially indicating privilege escalation or persistence attempts by malicious actors.

Detection of Okta user sessions initiated through anonymizing proxy services, potentially indicating malicious activity or attempts to evade security controls.

Detection of an Okta user account lockout, which may indicate brute-force attempts or other malicious activity targeting user accounts.

Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.