Okta New Admin Console Behaviours

 1title: Okta New Admin Console Behaviours
 2id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
 3status: experimental
 4description: Detects when Okta identifies new activity in the Admin Console.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 8author: kelnage
 9date: 2023-09-07
10modified: 2024-06-26
11tags:
12    - attack.initial-access
13    - attack.t1078.004
14logsource:
15    product: okta
16    service: okta
17detection:
18    selection_event:
19        eventtype: 'policy.evaluate_sign_on'
20        target.displayname: 'Okta Admin Console'
21    selection_positive:
22        - debugcontext.debugdata.behaviors|contains: 'POSITIVE'
23        - debugcontext.debugdata.logonlysecuritydata|contains: 'POSITIVE'
24    condition: all of selection_*
25falsepositives:
26    - When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual.
27level: high

References

• System Log | Okta Developer

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

• Cross-Tenant Impersonation: Prevention and Detection

  SummaryOkta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Orga

  
  Read More

Related rules

• Account Disabled or Blocked for Sign in Attempts
• Azure AD Only Single Factor Authentication Required
• Azure Subscription Permission Elevation Via ActivityLogs
• Failed Authentications From Countries You Do Not Operate Out Of
• Github New Secret Created