A user accessed Okta's admin application

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Okta Audit Log

Detection Modules

Identity Threat Module

Detector Tags

Okta Audit Analytics

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An attempt to access Okta's admin management application.

Attacker's Goals

Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.

Investigative actions

  • Reach out to the user responsible for the alert to confirm the legitimacy of the activity.
  • Examine the user's actions preceding and following the activation of the alert.
  • Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

Variations

Suspicious Okta Admin App Access Attempt

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A user attempted to access the Okta Admin Application in a suspicious way.

Attacker's Goals

Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.

Investigative actions

  • Reach out to the user responsible for the alert to confirm the legitimacy of the activity.
  • Examine the user's actions preceding and following the activation of the alert.
  • Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).