| ID | Technique | Tactic |
|---|---|---|
| T1087.004 | Cloud Account | Discovery |
Detection: Okta IDP Lifecycle Modifications
Description
The following analytic identifies modifications to Okta Identity Provider (IDP) lifecycle events, including creation, activation, deactivation, and deletion of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms. Unauthorized or anomalous changes could indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could manipulate authentication processes, potentially gaining unauthorized access or disrupting identity management systems.
Search
1`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate")
2| stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description
3| `security_content_ctime(firstTime)`
4| `security_content_ctime(lastTime)`
5| `okta_idp_lifecycle_modifications_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| Okta | N/A | 'OktaIM2:log' |
'Okta' |
N/A |
Macros Used
| Name | Value |
|---|---|
| okta | eventtype=okta_log OR sourcetype = "OktaIM2:log" |
| okta_idp_lifecycle_modifications_filter | search * |
okta_idp_lifecycle_modifications_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.EXPLOITAITON
NistCategory.DE_AE
Cis18Value.CIS_10
APT29
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
Known False Positives
It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]" | 81 | 90 | 90 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | Okta |
OktaIM2:log |
| Integration | ✅ Passing | Dataset | Okta |
OktaIM2:log |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2