Okta Active Directory environment linked

okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1556-modify-authentication-process

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect the creation and linking of an on-premises Active Directory environment to Okta via an authorized agent.

Strategy

This rule monitors Okta system events for Active Directory environment onboarding through the Okta agent. It correlates system.agent.ad.create or system.agent.ad.connect events with a app.oauth2.token.grant.access_token_success event, indicating an access token was provided. An attacker can link a new Active Directory environment in order to import compromised user accounts to an Okta instance.

Okta system events can populate with system@okta.com as the user name and Active Directory Agent in the user agent field. The rule is grouped by the IP address that took the two actions.

Triage & Response

  • Examine the timeline of system.agent.ad.create or system.agent.ad.connect around the alert to confirm it matches a planned integration.
  • Identify other behavior occurring from the user and source IP address, {{@network.client.ip}}.
  • Verify the activity is consistent with known user behaviors.
  • Review activity for the import of users from new Active Directory environment.
  • If the creation of an Active Directory integration is unexpected or resulted in new user creation, initiate your incident response plan.