New Okta User Created

Sep 2, 2024 · attack.credential-access ·

Detects new user account creation

Sigma rule (View on GitHub)

 1title: New Okta User Created
 2id: b6c718dd-8f53-4b9f-98d8-93fdca966969
 3status: test
 4description: Detects new user account creation
 5author: Nasreddine Bencherchali (Nextron Systems)
 6date: 2023-10-25
 7references:
 8    - https://developer.okta.com/docs/reference/api/event-types/
 9tags:
10    - attack.credential-access
11logsource:
12    service: okta
13    product: okta
14detection:
15    selection:
16        eventtype: 'user.lifecycle.create'
17    condition: selection
18falsepositives:
19    - Legitimate and authorized user creation
20level: informational

References

Event Types | Okta Developer

Secure, scalable, and highly available authentication and user management for any app.

Read More

Related rules

Kerberoasting Activity - Initial Query
LSASS Process Memory Dump Creation Via Taskmgr.EXE
Okta 2023 Breach Indicator Of Compromise
Okta Admin Functions Access Through Proxy
Potential Okta Password in AlternateID Field

New Okta User Created

Sigma rule (View on GitHub)

References

Event Types | Okta Developer

Related rules