Okta Desktop Single Sign On (DSSO) from unexpected profile source

Docs > Plateforme de sécurité Datadog > OOTB Rules > Okta Desktop Single Sign On (DSSO) from unexpected profile source

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detects Okta Desktop Single Sign On through a non‑priority profile source.

Strategy

This rule monitors Okta authentication events for user.authentication.dsso_via_non_priority_source events.

The debugContext.debugData object contains the prioritized profile source and the actual profile source used during the DSSO attempt for {{@debugContext.debugData.oktaUserEmail}}.

The highest priority profile source is typically expected in this flow. The presence of this log event might be benign or might indicate an attempt to authenticate the user from a compromised Active Directory domain or another source that establishes user profiles in Okta.

Triage & Response

Examine surrounding login events for {{@debugContext.debugData.oktaUserEmail}} to confirm abnormal behavior.
Identify the profile used, {{@debugContext.debugData.incomingProfileSourceInstanceId}}, and validate it is trusted and expected for the organization within the Okta Admin console.
Analyze subsequent activity by {{@debugContext.debugData.oktaUserEmail}} after the DSSO event, including sensitive application access or administrative changes, to evaluate risk.
If the access event is unexpected or resulted in suspicious activities, initiate your incident response plan.