For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-dgs.md. A documentation index is available at /llms.txt.

Okta SCIM application creation or modification

okta

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Goal

Detects creation or modification of a SCIM application in Okta, with escalating severity when followed by password synchronization or user provisioning to an external endpoint.

Strategy

This rule monitors Okta logs for three stages of a SCIM-based credential exfiltration attack. An attacker with administrative access can create a rogue SCIM application pointing to infrastructure they control, enable password sync, and then push users to that application to harvest their credentials in bulk.

A lower severity alert will generate when only a creation or modification of a SCIM application has occurred.

Triage and response

  • Identify the SCIM application that was created or modified and verify whether the @debugContext.debugData.requestUri references a known and authorized SCIM endpoint.
  • Determine if the administrator at {{@network.client.ip}} had a legitimate reason to create or configure a SCIM application with password synchronization enabled.
  • Examine whether any application.provision.user.push or application.provision.user.sync events occurred for the application to determine if user credentials were already exfiltrated.
  • Check recent administrative activity from {{@network.client.ip}} for other suspicious actions such as privilege escalation, policy changes, or creation of additional applications.
  • Initiate your security incident response process for further containment and remediation.