Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects Okta Admin Console sign-in from a new device and geolocation. Using Okta’s new device and location enrichment, alerts are triggered from allowed sign-ons to the Okta’s administrator console.

Strategy

This rule monitors Okta sign-on evaluation, policy.evaluate_sign_on, events for admin console access where @debugContext.debugData.behaviors includes a positive flag for new device and geolocation. After a sign-on evaluation action, the user.session.access_admin_app event will be logged for the user.

Accessing administrative views and privileges from a new device and location can indicate an account takeover.

Triage & Response

• Review the sign-on details for {{@usr.email}} and confirm the user recognizes the new device.
• Check whether the geolocation and source IP {{@network.client.ip}} match expected locations, travel, or corporate VPN patterns.
• Identify preceding authentication events for {{@usr.email}} (failed logins, MFA challenges, password resets) near the alert time.
• Determine if strong MFA and device posture controls were required for this account and whether they were satisfied within the policy evaluation log.
• Examine subsequent Okta actions from the same user after accessing the admin portal, such as admin role changes, policy updates, application assignments, or reading of OAuth secrets.
• If the access event is unexpected or resulted in suspicious activities, initiate your incident response plan.