Admin Activity Anomaly Insights Explained
Okta & Azure
Last updated
Okta & Azure
Last updated
Oort provides insights into anomalous user behavior for both Azure AD and Okta platforms. The intention is to highlight unusual activity that may be indicators of either privilege escalation or other invasive / evasive tactics used by threat actors within an environment.
The anomalous behavior can include a variety of different actions. This articles provides an understanding of the different categories.
The core criteria to trigger this insight is the following:
A user performing an administrative action (defined below) that they have not previously done over the past 90 days
A user taking a high velocity of administrative actions in a short period of time (configurable, see below)
For the second bullet above related to high velocity admin actions, the default configuration is 10 targets or objects (users, groups, devices) in 10 minutes. This is configurable in the Insight details.
For Okta, the insight details are based on events that are consumed via the Okta System Log. The specific attribute referenced is the Okta eventType.
Because Okta presents a large number of event types, Oort aggregates similar or related events into different categories of actions.
Each of these categories represent actions that, when taken by users who do not normally perform them, should be reviewed by the Security team.
Category | Event types |
okta_custom_admin_role_operations | 'iam.role.create', 'iam.role.delete', 'iam.role.permissions.delete', 'iam.role.permissions.add', 'iam.resourceset.bindings.add', 'iam.resourceset.bindings.delete' |
okta_resourceset_operations | 'iam.resourceset.create', 'iam.resourceset.delete', 'iam.resourceset.resources.add', 'iam.resourceset.resources.delete' |
okta_device_operations | 'device.enrollment.create', 'device.lifecycle.activate', 'device.lifecycle.deactivate', 'device.lifecycle.delete', 'device.lifecycle.suspend', 'device.lifecycle.unsuspend' |
okta_admin_role_operations | 'group.privilege.grant', 'user.account.privilege.grant', 'group.privilege.revoke', 'user.account.privilege.revoke' |
okta_api_token_operation | 'system.api_token.create', 'system.api_token.revoke' |
okta_application_operations | 'application.lifecycle.update', 'application.lifecycle.delete', 'application.lifecycle.deactivate' |
okta_application_sign_on_policy_operations | 'zone.deactivate', 'zone.delete', 'zone.remove_blacklist' |
okta_policy_operations | 'policy.lifecycle.update', 'policy.lifecycle.delete', 'policy.lifecycle.overwrite', 'policy.lifecycle.deactivate' |
okta_policy_rule_operations | 'policy.rule.update', 'policy.rule.delete', 'policy.rule.deactivate' |
rare_mfa_operations | 'user.mfa.factor.update', 'system.mfa.factor.deactivate', 'user.mfa.attempt_bypass', 'user.mfa.factor.deactivate', 'user.mfa.factor.reset_all' |
okta_account_session_impersonation | 'user.session.impersonation.extend', 'user.session.impersonation.grant', 'user.session.impersonation.initiate', 'user.session.impersonation.end', 'user.session.impersonation.revoke' |
okta_config_management | 'security.authenticator.lifecycle.activate', 'security.authenticator.lifecycle.activate', 'security.authenticator.lifecycle.deactivate', 'security.authenticator.lifecycle.update', 'security.device.temporarily_disable_blacklisting', 'security.threat.configuration.update', 'security.request.blocked', 'security.zone.make_blacklist', 'security.zone.remove_blacklist' |
For Azure AD environments, the Insight is based on events collected from Azure AD Directory Audits.
Specifically, the category
field from the directoryAudit resource type is referenced and presented in Oort events and notifications for this check.
Category: Indicates which resource category that's targeted by the activity. For example: UserManagement, GroupManagement, ApplicationManagement, RoleManagement.
From a security and governance perspective, anomalous user activity involving administrative actions - either rare actions or actions taken in bulk against a large number of objects - should be reviewed and confirmed with either -
Known normal behavior for that end user within the platform
A service ticket, request, or temporary privilege escalation that explains and justified the actions taken
Either within the Checks tab for an individual user failing this Insight or within Slack (shown below) or Teams notifications, the event can be marked as Interesting or Normal Behavior to log the result of the review within the Oort platform.
Interesting and Normal Behavior feedback events are reviewed by the Oort Product and Engineering team to enhance the accuracy of the platform.