---
title: Okta SCIM application creation or modification
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Okta SCIM application creation or
  modification
---

# Okta SCIM application creation or modification
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detects creation or modification of a SCIM application in Okta, with escalating severity when followed by password synchronization or user provisioning to an external endpoint.

## Strategy{% #strategy %}

This rule monitors Okta logs for three stages of a SCIM-based credential exfiltration attack. An attacker with administrative access can create a rogue SCIM application pointing to infrastructure they control, enable password sync, and then push users to that application to harvest their credentials in bulk.

A lower severity alert will generate when only a creation or modification of a SCIM application has occurred.

## Triage and response{% #triage-and-response %}

- Identify the SCIM application that was created or modified and verify whether the `@debugContext.debugData.requestUri` references a known and authorized SCIM endpoint.
- Determine if the administrator at `{{@network.client.ip}}` had a legitimate reason to create or configure a SCIM application with password synchronization enabled.
- Examine whether any `application.provision.user.push` or `application.provision.user.sync` events occurred for the application to determine if user credentials were already exfiltrated.
- Check recent administrative activity from `{{@network.client.ip}}` for other suspicious actions such as privilege escalation, policy changes, or creation of additional applications.
- Initiate your security incident response process for further containment and remediation.