Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1556-modify-authentication-process

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect the creation and linking of an on-premises Active Directory environment to Okta via an authorized agent.

Strategy

This rule monitors Okta system events for Active Directory environment onboarding through the Okta agent. It correlates system.agent.ad.create or system.agent.ad.connect events with a app.oauth2.token.grant.access_token_success event, indicating an access token was provided. An attacker can link a new Active Directory environment in order to import compromised user accounts to an Okta instance.

Okta system events can populate with system@okta.com as the user name and Active Directory Agent in the user agent field. The rule is grouped by the IP address that took the two actions.

Triage & Response

• Examine the timeline of system.agent.ad.create or system.agent.ad.connect around the alert to confirm it matches a planned integration.
• Identify other behavior occurring from the user and source IP address, {{@network.client.ip}}.
• Verify the activity is consistent with known user behaviors.
• Review activity for the import of users from new Active Directory environment.
• If the creation of an Active Directory integration is unexpected or resulted in new user creation, initiate your incident response plan.