Okta Identity Provider creation or modification

okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1556-modify-authentication-process

Set up the okta integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an Okta Identity Provider has been created or modified.

Strategy

This rule monitors when an Okta Identity Provider has been created or modified. Okta’s security team reported a series of social engineering attacks in which attackers configured a second Identity Provider to act as an “impersonation app” to access applications within the compromised customer organization on behalf of other users.

Triage and response

  1. Contact the user {{@usr.email}} to ensure the change {{@evt.name}} is authorized.
  2. If the user was unaware of the change:
    • Determine if any other activity occurred from this user. Look for deviations in user agents, IP addresses and network metadata.
    • Begin your organization’s incident response process and investigate for any account takeovers.
PREVIEWING: drodriguezhdez/add_public_docs_log_summarization