Okta Desktop Single Sign On (DSSO) from unexpected profile source
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects Okta Desktop Single Sign On through a non‑priority profile source.
Strategy
This rule monitors Okta authentication events for user.authentication.dsso_via_non_priority_source events.
The debugContext.debugData object contains the prioritized profile source and the actual profile source used during the DSSO attempt for {{@debugContext.debugData.oktaUserEmail}}.
The highest priority profile source is typically expected in this flow. The presence of this log event might be benign or might indicate an attempt to authenticate the user from a compromised Active Directory domain or another source that establishes user profiles in Okta.
Triage & Response
- Examine surrounding login events for
{{@debugContext.debugData.oktaUserEmail}} to confirm abnormal behavior. - Identify the profile used,
{{@debugContext.debugData.incomingProfileSourceInstanceId}}, and validate it is trusted and expected for the organization within the Okta Admin console. - Analyze subsequent activity by
{{@debugContext.debugData.oktaUserEmail}} after the DSSO event, including sensitive application access or administrative changes, to evaluate risk. - If the access event is unexpected or resulted in suspicious activities, initiate your incident response plan.
