For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-8ij.md. A documentation index is available at /llms.txt.

Okta activity from malicious IP address

okta

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Goal

Detects successful Okta activity originating from an IP address flagged as malicious by threat intelligence, with elevated severity for API token usage.

Strategy

This rule monitors Okta logs for successful events originating from IP addresses associated with malicious activity. The rule distinguishes between two types of activity: interactive user authentication events and API activity, where @transaction.detail.requestApiTokenId is present.

API token usage from a malicious IP generates a high-severity signal because it indicates a stolen token is being used from attacker-controlled infrastructure. Interactive login activity generates a medium-severity signal, as a successful authentication from a known-malicious source strongly suggests credential compromise.

Triage and response

  • Review the threat intelligence details for {{@network.client.ip}} to understand why the IP is classified as malicious or if it’s associated with Tor exit nodes.
  • Determine if {{@usr.name}} has a legitimate reason to authenticate from the flagged IP address, such as authorized use of a VPN or privacy tool.
  • Examine the Okta session activity following the successful authentication to identify any privilege escalation, configuration changes, or data access.
  • Check if an API token was involved and, if so, identify when the token was created and whether it has been used from other suspicious IP addresses.
  • Review recent password changes, MFA factor enrollments, or account recovery events for {{@usr.name}} that could indicate account takeover.
  • Investigate whether other user accounts have authenticated from {{@network.client.ip}} to determine if the compromise extends beyond a single account.