Okta Identity Provider creation or modification

okta

Classification:

attack

Set up the okta integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an Okta Identity Provider has been created or modified.

Strategy

This rule monitors when an Okta Identity Provider has been created or modified. Okta’s security team reported a series of social engineering attacks in which attackers configured a second Identity Provider to act as an “impersonation app” to access applications within the compromised customer organization on behalf of other users.

Triage and response

  1. Contact the user {{@usr.email}} to ensure the change {{@evt.name}} is authorized.
  2. If the user was unaware of the change:
    • Determine if any other activity occurred from this user. Look for deviations in user agents, IP addresses and network metadata.
    • Begin your organization’s incident response process and investigate for any account takeovers.