LoFP / it's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to okta idp lifecycle events. review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.

Techniques

• T1087.004

Sample rules

Okta IDP Lifecycle Modifications

• source: splunk
• technicques:
  • T1087.004

Description

This detection identifies modifications to Okta Identity Provider (IDP) lifecycle events, such as creation, activation, deactivation, and deletion of IDP configurations. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms within an organization. By detecting unauthorized or anomalous changes, organizations can quickly respond to potential security breaches or misconfigurations, ensuring that their identity management systems remain secure and operational.

Detection logic

`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate") 
|  stats count  min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_idp_lifecycle_modifications_filter`