Okta IDP Lifecycle Modifications

Try in Splunk Security Cloud

Description

This detection identifies modifications to Okta Identity Provider (IDP) lifecycle events, such as creation, activation, deactivation, and deletion of IDP configurations. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms within an organization. By detecting unauthorized or anomalous changes, organizations can quickly respond to potential security breaches or misconfigurations, ensuring that their identity management systems remain secure and operational.

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2024-03-14
• Author: Bhavin Patel, Splunk
• ID: e0be2c83-5526-4219-a14f-c3db2e763d15

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1087.004	Cloud Account	Discovery

Kill Chain Phase

• Exploitation

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate") 
|  stats count  min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_idp_lifecycle_modifications_filter`

Macros

The SPL above uses the following Macros:

• okta
• security_content_ctime

okta_idp_lifecycle_modifications_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• eventType
• target{}.id
• target{}.type
• src
• dest
• src_user_id
• user
• user_agent
• command
• description

How To Implement

The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).

Known False Positives

It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.

Associated Analytic Story

• Suspicious Okta Activity

RBA

Risk Score	Impact	Confidence	Message
81.0	90	90	A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]"

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.obsidiansecurity.com/blog/behind-the-breach-cross-tenant-impersonation-in-okta/
• https://splunkbase.splunk.com/app/6553

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1