Okta Desktop Single Sign On (DSSO) from unexpected profile source

okta

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects Okta Desktop Single Sign On through a non‑priority profile source.

Strategy

This rule monitors Okta authentication events for user.authentication.dsso_via_non_priority_source events.

The debugContext.debugData object contains the prioritized profile source and the actual profile source used during the DSSO attempt for {{@debugContext.debugData.oktaUserEmail}}.

The highest priority profile source is typically expected in this flow. The presence of this log event might be benign or might indicate an attempt to authenticate the user from a compromised Active Directory domain or another source that establishes user profiles in Okta.

Triage & Response

  • Examine surrounding login events for {{@debugContext.debugData.oktaUserEmail}} to confirm abnormal behavior.
  • Identify the profile used, {{@debugContext.debugData.incomingProfileSourceInstanceId}}, and validate it is trusted and expected for the organization within the Okta Admin console.
  • Analyze subsequent activity by {{@debugContext.debugData.oktaUserEmail}} after the DSSO event, including sensitive application access or administrative changes, to evaluate risk.
  • If the access event is unexpected or resulted in suspicious activities, initiate your incident response plan.