Okta Identity Provider Created

 1title: Okta Identity Provider Created
 2id: 969c7590-8c19-4797-8c1b-23155de6e7ac
 3status: test
 4description: Detects when a new identity provider is created for Okta.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 8author: kelnage
 9date: 2023-09-07
10tags:
11    - attack.persistence
12    - attack.t1098.001
13logsource:
14    product: okta
15    service: okta
16detection:
17    selection:
18        eventtype: 'system.idp.lifecycle.create'
19    condition: selection
20falsepositives:
21    - When an admin creates a new, authorised identity provider.
22level: medium

References

• System Log | Okta Developer

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

• Cross-Tenant Impersonation: Prevention and Detection

  SummaryOkta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Orga

  
  Read More

Related rules

• Added Credentials to Existing Application
• Github Outside Collaborator Detected
• A Member Was Added to a Security-Enabled Global Group
• A Member Was Removed From a Security-Enabled Global Group
• A New Trust Was Created To A Domain