Detects new administrative actions performed by an account, or actions performed on multiple targets simultaneously. Users will fail this check if there are 10 or more different targets within 10 minutes or less.

Adversaries may create/modify an account to maintain access to victim systems or to modify the configuration settings to evade defenses and/or escalate privileges.

Recommended Actions

Verify with the account the reason for the changes.

Most of the alerts will represent accounts/application lifecycle (join/leave/move) so it's important to check the context of the action.

Default Check Settings

Number of distinct targets: 10

Timeframe in minutes:10

Compatibility

Okta