Okta Admin Activity Anomaly
Detects unusual administrative activity in Okta by flagging accounts that either perform an action type for the first time or apply changes to 10 or more targets within 10 minutes, measured against a 90-day behavioral baseline. If needed, exclude specific activity categories or adjust event or timeframe thresholds in Custom Detection Settings to reduce alerts from known high-volume administrative workflows in your environment.
Adversaries may create or modify an account to maintain access to victim systems or modify the configuration settings to evade defenses or escalate the privileges of the compromised account.
Recommended Actions
Verify with the account holder whether the flagged actions were intentional, as these alerts can sometimes reflect normal business lifecycle events such as bulk onboarding, offboarding, and scheduled migrations, or can highlight unexpected results of a desired configuration change.
If the activity is unrecognized or was not clearly authorized, suspend the account immediately and end all active sessions. Review the full list of affected targets (users, groups, apps, roles and policies), prioritizing changes that expand access or weaken controls, to determine the impact and whether any changes need to be reversed or escalated to affected business owners.
Refer to the Admin Activity Anomaly Insights Explained section below for more detailed information and remediation recommendations for this check.
Default Check Settings
Number of distinct targets: 10
Timeframe in minutes:10
Ignore List: Blank
Compatibility
Use Cases
An identity engineer performs a large remediation or migration, updating many users, groups, applications, or policies in a short period as part of legitimate business work.
A compromised administrator account begins changing roles, memberships, applications, or policies across several targets, creating persistent backdoor access that survives a forced password reset of the original compromised account.
A support or security administrator successfully performs a category of Okta administrative action for the first time, making the behavior unusual enough to warrant business review.
An automated provisioning script running under a user account rather than a designated service account exceeds the target threshold, generating a false positive that still warrants security team review and documentation.
Real-World Incidents
Scattered Spider / MGM Resorts — September 2023 Attackers social-engineered IT help desks into resetting MFA on Okta Super Admin accounts, then immediately made bulk changes to disable authentication requirements and register fraudulent Identity Providers, granting attacker-controlled impersonation access to every application in the environment. BleepingComputer, Sep 2023
Okta Support System Breach — October 2023 After hijacking admin sessions through stolen session tokens, attackers performed administrative reconnaissance actions — including user enumeration and tenant configuration probing — that those accounts had never previously executed, a pattern that first-time action detection would have surfaced immediately. BleepingComputer, Oct 2023
Admin Activity Anomaly Insights Explained
Overview
Identity Intelligence provides insights into anomalous user behavior for both Azure AD and Okta platforms. The intention is to highlight unusual activity that may be indicators of either privilege escalation or other invasive/evasive tactics used by threat actors within an environment.
The anomalous behavior can include a variety of different actions. This articles provides an understanding of the different categories. The core criteria to trigger this insight is the following:
A user performing an administrative action (defined below) that they have not previously done over the past 90 days
A user taking a high velocity of administrative actions in a short period of time (configurable, see below)
Configuration
For high velocity admin actions, the default configuration is 10 targets or objects (users, groups, devices) in 10 minutes, as mentioned above under "Default Check Settings". This is configurable via the Check Settings.
Okta User Anomaly Categories
For Okta, the insight details are based on events that are consumed via the Okta System Log. The specific attribute referenced is the Okta eventType.
Because Okta presents a large number of event types, Identity Intelligence aggregates similar or related events into different categories of actions, as shown in the table below. Each of these categories represent actions that, when taken by users who do not normally perform them, should be reviewed by the Security team:
Category
Event types
okta_custom_admin_role_operations
'iam.role.create', 'iam.role.delete', 'iam.role.permissions.delete', 'iam.role.permissions.add', 'iam.resourceset.bindings.add', 'iam.resourceset.bindings.delete'
okta_resourceset_operations
'iam.resourceset.create', 'iam.resourceset.delete', 'iam.resourceset.resources.add', 'iam.resourceset.resources.delete'
okta_device_operations
'device.enrollment.create', 'device.lifecycle.activate', 'device.lifecycle.deactivate', 'device.lifecycle.delete', 'device.lifecycle.suspend', 'device.lifecycle.unsuspend'
okta_admin_role_operations
'group.privilege.grant', 'user.account.privilege.grant', 'group.privilege.revoke', 'user.account.privilege.revoke'
okta_api_token_operation
'system.api_token.create', 'system.api_token.revoke'
okta_application_operations
'application.lifecycle.update', 'application.lifecycle.delete', 'application.lifecycle.deactivate'
okta_application_sign_on_policy_operations
'zone.deactivate', 'zone.delete', 'zone.remove_blacklist'
okta_policy_operations
'policy.lifecycle.update', 'policy.lifecycle.delete', 'policy.lifecycle.overwrite', 'policy.lifecycle.deactivate'
okta_policy_rule_operations
'policy.rule.update', 'policy.rule.delete', 'policy.rule.deactivate'
rare_mfa_operations
'user.mfa.factor.update', 'system.mfa.factor.deactivate', 'user.mfa.attempt_bypass', 'user.mfa.factor.deactivate', 'user.mfa.factor.reset_all'
okta_account_session_impersonation
'user.session.impersonation.extend', 'user.session.impersonation.grant', 'user.session.impersonation.initiate', 'user.session.impersonation.end', 'user.session.impersonation.revoke'
okta_config_management
'security.authenticator.lifecycle.activate', 'security.authenticator.lifecycle.activate', 'security.authenticator.lifecycle.deactivate', 'security.authenticator.lifecycle.update', 'security.device.temporarily_disable_blacklisting', 'security.threat.configuration.update', 'security.request.blocked', 'security.zone.make_blacklist', 'security.zone.remove_blacklist'
Recommendations for User Activity Anomaly Events
From a security and governance perspective, anomalous admin actions and activity - both rare actions or bulk actions taken against a large number of objects - should be reviewed and confirmed with either:
Known normal behavior for that end user within the platform
A service ticket, request, or temporary privilege escalation that explains and justified the actions taken
Check failure events can be marked as Suspicious or Normal Behavior to log the result of an investigation within the Identity Intelligence platform either on the Failing Check page or on a given user's Checks tab in the User 360. These two feedback options are also available directly in your messaging system, if you have configured the check to send alerts to tools such as Slack, Teams or Webex, and your selected response will be sent back to the Identity Intelligence platform. These triage responses not only mitigate the user so that they are no longer failing the check but also provide the Data team for Identity Intelligence with valuable insight to enhance the accuracy of the platform and it's detections.
Last updated