A user observed and reported unusual activity in Okta

Cortex XSIAM Analytics Alert Reference by Alert name

Product
Cortex XSIAM
Last date published
2025-01-19
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:
    • Okta Audit Log

Detection Modules

Identity Threat Module

Detector Tags

Okta Audit Analytics

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Informational

Description

A user observed and reported unusual activity in Okta.

Attacker's Goals

An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.

Investigative actions

  • Investigate the original event that was reported as suspicious.
  • Contact the user and understand why he reported the activity as suspicious.
  • Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Follow further actions done by the account.

Variations

Multiple users have reported the same suspicious activity

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Medium

Description

Unusual activity in Okta reported about an IP not linked to an EDR agent, the operation is rare and flagged by multiple users.

Attacker's Goals

An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.

Investigative actions

  • Investigate the original event that was reported as suspicious.
  • Contact the user and understand why he reported the activity as suspicious.
  • Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Follow further actions done by the account.


Unusual activity in Okta was reported by a user along with suspicious characteristics

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Low

Description

A user observed and reported unusual activity in Okta.

Attacker's Goals

An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.

Investigative actions

  • Investigate the original event that was reported as suspicious.
  • Contact the user and understand why he reported the activity as suspicious.
  • Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Follow further actions done by the account.