Okta Identity Provider Created

 1title: Okta Identity Provider Created
 2id: 969c7590-8c19-4797-8c1b-23155de6e7ac
 3status: test
 4description: Detects when a new identity provider is created for Okta.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 8author: kelnage
 9date: 2023-09-07
10modified: 2026-04-27
11tags:
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.t1098.001
15logsource:
16    product: okta
17    service: okta
18detection:
19    selection:
20        eventType: 'system.idp.lifecycle.create'
21    condition: selection
22falsepositives:
23    - When an admin creates a new, authorised identity provider.
24level: medium

References

• System Log

  
  Read More

• Cross-Tenant Impersonation: Prevention and Detection

  

  SummaryOkta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Orga

  
  Read More

Related rules

• Github Outside Collaborator Detected
• Added Credentials to Existing Application
• Okta Admin Role Assigned to an User or Group
• LiteLLM / TeamPCP Supply Chain Attack Indicators
• TeamPCP LiteLLM Supply Chain Attack Persistence Indicators