Comment on page
Okta Admin Activity Anomaly
Detects new administrative actions performed by an account, or actions performed on multiple targets simultaneously. Users will fail this check if there are 10 or more different targets within 10 minutes or less.
Adversaries may create/modify an account to maintain access to victim systems or to modify the configuration settings to evade defenses and/or escalate privileges.
Verify with the account the reason for the changes.
Most of the alerts will represent accounts/application lifecycle (join/leave/move) so it's important to check the context of the action.
Default Check Settings
Number of distinct targets: 10
Timeframe in minutes:10