Okta Active Directory environment linked
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect the creation and linking of an on-premises Active Directory environment to Okta via an authorized agent.
Strategy
This rule monitors Okta system events for Active Directory environment onboarding through the Okta agent. It correlates system.agent.ad.create or system.agent.ad.connect events with a app.oauth2.token.grant.access_token_success event, indicating an access token was provided. An attacker can link a new Active Directory environment in order to import compromised user accounts to an Okta instance.
Okta system events can populate with system@okta.com as the user name and Active Directory Agent in the user agent field. The rule is grouped by the IP address that took the two actions.
Triage & Response
- Examine the timeline of
system.agent.ad.create or system.agent.ad.connect around the alert to confirm it matches a planned integration. - Identify other behavior occurring from the user and source IP address,
{{@network.client.ip}}. - Verify the activity is consistent with known user behaviors.
- Review activity for the import of users from new Active Directory environment.
- If the creation of an Active Directory integration is unexpected or resulted in new user creation, initiate your incident response plan.
