Okta Admin Activity Anomaly
Last updated
Last updated
Detects new administrative actions performed by an account, or actions performed on multiple targets simultaneously. Users will fail this check if there are 10 or more different targets within 10 minutes or less.
Adversaries may create/modify an account to maintain access to victim systems or to modify the configuration settings to evade defenses and/or escalate privileges.
Verify with the account the reason for the changes.
Most of the alerts will represent accounts/application lifecycle (join/leave/move) so it's important to check the context of the action. Read below for more detailed remediation recommendations
Number of distinct targets: 10
Timeframe in minutes:10
Identity Intelligence provides insights into anomalous user behavior for both Azure AD and Okta platforms. The intention is to highlight unusual activity that may be indicators of either privilege escalation or other invasive/evasive tactics used by threat actors within an environment.
The anomalous behavior can include a variety of different actions. This articles provides an understanding of the different categories. The core criteria to trigger this insight is the following:
A user performing an administrative action (defined below) that they have not previously done over the past 90 days
A user taking a high velocity of administrative actions in a short period of time (configurable, see below)
For high velocity admin actions, the default configuration is 10 targets or objects (users, groups, devices) in 10 minutes, as mentioned above under "Default Check Settings". This is configurable via the Check Settings.
For Okta, the insight details are based on events that are consumed via the Okta System Log. The specific attribute referenced is the Okta eventType.
Because Okta presents a large number of event types, Identity Intelligence aggregates similar or related events into different categories of actions.
Each of these categories represent actions that, when taken by users who do not normally perform them, should be reviewed by the Security team.
Category
Event types
okta_custom_admin_role_operations
'iam.role.create', 'iam.role.delete', 'iam.role.permissions.delete', 'iam.role.permissions.add', 'iam.resourceset.bindings.add', 'iam.resourceset.bindings.delete'
okta_resourceset_operations
'iam.resourceset.create', 'iam.resourceset.delete', 'iam.resourceset.resources.add', 'iam.resourceset.resources.delete'
okta_device_operations
'device.enrollment.create', 'device.lifecycle.activate', 'device.lifecycle.deactivate', 'device.lifecycle.delete', 'device.lifecycle.suspend', 'device.lifecycle.unsuspend'
okta_admin_role_operations
'group.privilege.grant', 'user.account.privilege.grant', 'group.privilege.revoke', 'user.account.privilege.revoke'
okta_api_token_operation
'system.api_token.create', 'system.api_token.revoke'
okta_application_operations
'application.lifecycle.update', 'application.lifecycle.delete', 'application.lifecycle.deactivate'
okta_application_sign_on_policy_operations
'zone.deactivate', 'zone.delete', 'zone.remove_blacklist'
okta_policy_operations
'policy.lifecycle.update', 'policy.lifecycle.delete', 'policy.lifecycle.overwrite', 'policy.lifecycle.deactivate'
okta_policy_rule_operations
'policy.rule.update', 'policy.rule.delete', 'policy.rule.deactivate'
rare_mfa_operations
'user.mfa.factor.update', 'system.mfa.factor.deactivate', 'user.mfa.attempt_bypass', 'user.mfa.factor.deactivate', 'user.mfa.factor.reset_all'
okta_account_session_impersonation
'user.session.impersonation.extend', 'user.session.impersonation.grant', 'user.session.impersonation.initiate', 'user.session.impersonation.end', 'user.session.impersonation.revoke'
okta_config_management
'security.authenticator.lifecycle.activate', 'security.authenticator.lifecycle.activate', 'security.authenticator.lifecycle.deactivate', 'security.authenticator.lifecycle.update', 'security.device.temporarily_disable_blacklisting', 'security.threat.configuration.update', 'security.request.blocked', 'security.zone.make_blacklist', 'security.zone.remove_blacklist'
From a security and governance perspective, anomalous admin actions and activity - both rare actions or bulk actions taken against a large number of objects - should be reviewed and confirmed with either:
Known normal behavior for that end user within the platform
A service ticket, request, or temporary privilege escalation that explains and justified the actions taken
Check failure events can be marked as Suspicious or Normal Behavior to log the result of an investigation within the Identity Intelligence platform either on the Failing Check page or on a given user's Checks tab in the User 360. These two feedback options are also available directly in your messaging system, if you have configured the check to send alerts to tools such as Slack, Teams or Webex, and your selected response will be sent back to the Identity Intelligence platform. These triage responses not only mitigate the user so that they are no longer failing the check but also provide the Data team for Identity Intelligence with valuable insight to enhance the accuracy of the platform and it's detections.