Okta Identity Provider creation or modification

okta

Classification:

attack

Set up the okta integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an Okta Identity Provider has been created or modified.

Strategy

This rule monitors when an Okta Identity Provider has been created or modified. Okta’s security team reported a series of social engineering attacks in which attackers configured a second Identity Provider to act as an “impersonation app” to access applications within the compromised customer organization on behalf of other users.

Triage and response

  1. Contact the user {{@usr.email}} to ensure the change {{@evt.name}} is authorized.
  2. If the user was unaware of the change:
    • Determine if any other activity occurred from this user. Look for deviations in user agents, IP addresses and network metadata.
    • Begin your organization’s incident response process and investigate for any account takeovers.
PREVIEWING: mervebolat/span-id-preprocessing