Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
Sigma rule (View on GitHub)
1title: Okta New Admin Console Behaviours
2id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
3status: experimental
4description: Detects when Okta identifies new activity in the Admin Console.
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
8author: kelnage
9date: 2023/09/07
10modified: 2023/10/25
11tags:
12 - attack.initial_access
13 - attack.t1078.004
14logsource:
15 product: okta
16 service: okta
17detection:
18 selection:
19 eventtype: 'policy.evaluate_sign_on'
20 target.displayname: 'Okta Admin Console'
21 debugcontext.debugdata.behaviors: 'POSITIVE'
22 debugcontext.debugdata.logonlysecuritydata: 'POSITIVE'
23 condition: selection
24falsepositives:
25 - Whenever an admin starts using new features of the admin console.
26level: low
References
-
-
Summary Okta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Organization (tenant). When successful, the threat actor demonstrated novel methods of lateral movement and defense evasion. These methods are preventable and present several detection opportunities for defenders. In recent weeks, multiple US-based Okta customers have reported a consistent pattern of so
Read More
Related rules
- Account Disabled or Blocked for Sign in Attempts
- Azure AD Only Single Factor Authentication Required
- Azure Subscription Permission Elevation Via ActivityLogs
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Interrupted