Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1526-cloud-service-discovery

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the okta integration.

Goal

Detect and investigate attempts to enumerate applications using Okta, which may indicate an attacker is probing for accessible resources to facilitate lateral movement.

Strategy

This rule monitors enumeration activities via Okta where repeated queries are made to list available applications. Such behavior may suggest an attempt to identify accessible resources and potentially map out targets for lateral movement.

Triage and Response

1. Validate the user activity:

   • Check if the user account ({{@usr.name}}) or associated IP address has a legitimate reason for listing applications.
   • Review recent authentication attempts and associated IP addresses to determine if there are additional signs of compromise or unauthorized access.

2. Investigate suspicious enumeration activity:

   • Review Okta logs for additional enumeration patterns, such as repeated application listing requests from the same IP or user within a short time frame.
   • Examine logs for any unusual or infrequent applications being accessed or targeted in enumeration requests.

3. Containment and remediation:

   • If the enumeration activity is deemed unauthorized, consider restricting the user’s access temporarily and resetting credentials to prevent further probing.
   • Conduct a broader investigation into recent activity from the flagged user and IP to check for other signs of lateral movement, such as privilege escalation or additional resource access attempts.