New Okta User Created

Apr 27, 2026 · attack.credential-access ·

Detects new user account creation

Sigma rule (View on GitHub)

 1title: New Okta User Created
 2id: b6c718dd-8f53-4b9f-98d8-93fdca966969
 3status: test
 4description: Detects new user account creation
 5author: Nasreddine Bencherchali (Nextron Systems)
 6date: 2023-10-25
 7modified: 2026-04-27
 8references:
 9    - https://developer.okta.com/docs/reference/api/event-types/
10tags:
11    - attack.credential-access
12logsource:
13    service: okta
14    product: okta
15detection:
16    selection:
17        eventType: 'user.lifecycle.create'
18    condition: selection
19falsepositives:
20    - Legitimate and authorized user creation
21level: informational

References

Event Types | Okta Developer

Secure, scalable, and highly available authentication and user management for any app.

Read More

Related rules

Okta 2023 Breach Indicator Of Compromise
Potential Okta Password in AlternateID Field
Notepad++ Updater DNS Query to Uncommon Domains
Uncommon File Created by Notepad++ Updater Gup.EXE
PUA - TruffleHog Execution

New Okta User Created

Sigma rule (View on GitHub)

References

Event Types | Okta Developer

Related rules