Okta New Admin Console Behaviours

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.defense-evasion attack.initial-access attack.t1078.004  ·
Share on: linkedin copy

Detects when Okta identifies new activity in the Admin Console.

Sigma rule (View on GitHub)

 1title: Okta New Admin Console Behaviours
 2id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
 3status: test
 4description: Detects when Okta identifies new activity in the Admin Console.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 8author: kelnage
 9date: 2023-09-07
10modified: 2024-06-26
11tags:
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.defense-evasion
15    - attack.initial-access
16    - attack.t1078.004
17logsource:
18    product: okta
19    service: okta
20detection:
21    selection_event:
22        eventtype: 'policy.evaluate_sign_on'
23        target.displayname: 'Okta Admin Console'
24    selection_positive:
25        - debugcontext.debugdata.behaviors|contains: 'POSITIVE'
26        - debugcontext.debugdata.logonlysecuritydata|contains: 'POSITIVE'
27    condition: all of selection_*
28falsepositives:
29    - When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual.
30level: high

References

  • System Log

    The Okta System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. The System Log API provides near real-time, read-only access to your organization's System Log and is the programmatic counterpart of the [System Log UI](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog). The terms "event" and "log event" are often used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system, and a "log" or "log event" is the recorded fact. The System Log API supports these primary use cases: * Event data export into a security information and event management system (SIEM) * System monitoring * Development debugging * Event introspection and audit > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). For further details and examples, see [System Log query](https://developer.okta.com/docs/reference/system-log-query/).


    Read More

  • Cross-Tenant Impersonation: Prevention and Detection

    SummaryOkta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Orga


    Read More

Related rules

to-top