Okta Org2Org application user syncing

okta

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects configuration of user or password synchronization for an Okta instance through the Okta Org2Org integration.

Strategy

This rule monitors Okta activity for Org2Org events resulting in pushing, importing, or syncing users from one organization to the target organization. Okta Org2Org feature enables the connection of multiple source organizations to a single target organization. The integration allows a source organization to push users to the target organization.

Enabling synchronization between Okta tenants can result in persistence through attacker controlled users persistent user.

Triage & Response

  1. Review the change details to confirm the specific sync capability enabled (user push, import, or password sync) and the associated Org2Org application instance.
  2. Identify the actor, {{@usr.email}}, and determine whether an approved change request exists for establishing or modifying the users within the target Okta instance.
  3. Check recent activity from the same actor and source IP {{@network.client.ip}} for additional administrative actions or unusual authentication patterns.
  4. Review subsequent provisioning events (user creations, updates, group assignments).
  5. If user activity is suspicious, begin your organization’s incident response process and investigate for any account takeovers.