Okta Identity Provider creation or modification

okta

Classification:

attack

Set up the okta integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an Okta Identity Provider has been created or modified.

Strategy

This rule monitors when an Okta Identity Provider has been created or modified. Okta’s security team reported a series of social engineering attacks in which attackers configured a second Identity Provider to act as an “impersonation app” to access applications within the compromised customer organization on behalf of other users.

Triage and response

  1. Contact the user {{@usr.email}} to ensure the change {{@evt.name}} is authorized.
  2. If the user was unaware of the change:
    • Determine if any other activity occurred from this user. Look for deviations in user agents, IP addresses and network metadata.
    • Begin your organization’s incident response process and investigate for any account takeovers.