Okta New Admin Console Behaviours

 1title: Okta New Admin Console Behaviours
 2id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
 3status: experimental
 4description: Detects when Okta identifies new activity in the Admin Console.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 8author: kelnage
 9date: 2023/09/07
10tags:
11    - attack.initial_access
12    - attack.t1078.004
13logsource:
14    product: okta
15    service: okta
16detection:
17    selection:
18        eventtype: 'policy.evaluate_sign_on'
19        target.displayname: 'Okta Admin Console'
20        debugcontext_debugdata_behaviors: 'POSITIVE'
21        debugcontext_debugdata_logonlysecuritydata: 'POSITIVE'
22    condition: selection
23falsepositives:
24    - Whenever an admin starts using new features of the admin console.
25level: low

References

• System Log | Okta Developer

  

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

• Cross-Tenant Impersonation: Prevention and Detection

  Summary

  
  Read More

Related rules

• Potential MFA Bypass Using Legacy Client Authentication
• Github Self Hosted Runner Changes Detected
• Github New Secret Created
• Account Disabled or Blocked for Sign in Attempts
• Azure AD Only Single Factor Authentication Required