LoFP / it's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to okta idp lifecycle events. review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.

Techniques

• T1087.004

Sample rules

Okta IDP Lifecycle Modifications

• source: splunk
• technicques:
  • T1087.004

Description

The following analytic identifies modifications to Okta Identity Provider (IDP) lifecycle events, including creation, activation, deactivation, and deletion of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms. Unauthorized or anomalous changes could indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could manipulate authentication processes, potentially gaining unauthorized access or disrupting identity management systems.

Detection logic

`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate") 
|  stats count  min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_idp_lifecycle_modifications_filter`