Okta 2023 Breach Indicator Of Compromise
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.
Sigma rule (View on GitHub)
1title: Okta 2023 Breach Indicator Of Compromise
2id: 00a8e92a-776b-425f-80f2-82d8f8fab2e5
3status: test
4description: |
5 Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
6 This rule can be enhanced by filtering out known and legitimate username used in your environnement.
7author: Muhammad Faisal (@faisalusuf)
8date: 2023-10-25
9modified: 2026-04-27
10references:
11 - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
12 - https://developer.okta.com/docs/reference/api/event-types/
13tags:
14 - attack.credential-access
15 - detection.emerging-threats
16logsource:
17 service: okta
18 product: okta
19detection:
20 selection:
21 eventType:
22 - 'user.lifecycle.create'
23 - 'user.lifecycle.activate'
24 target.displayName|contains: 'svc_network_backup'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
-
This blog shared details of the Okta support unit attack to educate other Okta users and infosec professionals. For BeyondTrust customers who leverage our…
Read More -
Related rules
- Shai-Hulud Malicious GitHub Workflow Creation
- Potential CVE-2021-42278 Exploitation Attempt
- Potential CVE-2021-42287 Exploitation Attempt
- APT31 Judgement Panda Activity
- CVE-2021-31979 CVE-2021-33771 Exploits