Okta application enumeration by user
Set up the okta integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect and investigate attempts to enumerate applications using Okta, which may indicate an attacker is probing for accessible resources to facilitate lateral movement.
Strategy
This rule monitors enumeration activities via Okta where repeated queries are made to list available applications. Such behavior may suggest an attempt to identify accessible resources and potentially map out targets for lateral movement.
Triage and Response
Validate the user activity:
- Check if the user account (
{{@usr.name}}
) or associated IP address has a legitimate reason for listing applications. - Review recent authentication attempts and associated IP addresses to determine if there are additional signs of compromise or unauthorized access.
Investigate suspicious enumeration activity:
- Review Okta logs for additional enumeration patterns, such as repeated application listing requests from the same IP or user within a short time frame.
- Examine logs for any unusual or infrequent applications being accessed or targeted in enumeration requests.
Containment and remediation:
- If the enumeration activity is deemed unauthorized, consider restricting the user’s access temporarily and resetting credentials to prevent further probing.
- Conduct a broader investigation into recent activity from the flagged user and IP to check for other signs of lateral movement, such as privilege escalation or additional resource access attempts.