Okta Identity Provider creation or modification

okta

Classification:

attack

Set up the okta integration.

Goal

Detect when an Okta Identity Provider has been created or modified.

Strategy

This rule monitors when an Okta Identity Provider has been created or modified. Okta’s security team reported a series of social engineering attacks in which attackers configured a second Identity Provider to act as an “impersonation app” to access applications within the compromised customer organization on behalf of other users.

Triage and response

  1. Contact the user {{@usr.email}} to ensure the change {{@evt.name}} is authorized.
  2. If the user was unaware of the change:
    • Determine if any other activity occurred from this user. Look for deviations in user agents, IP addresses and network metadata.
    • Begin your organization’s incident response process and investigate for any account takeovers.