
Summary
This detection rule, developed by Elastic, leverages machine learning methodologies to identify unusual spikes in group application assignment changes within Okta, an identity management system. It aims to detect potential unauthorized privileged access activities that could indicate malicious actors attempting to escalate privileges, maintain persistence, or facilitate lateral movement in an organization's network. By setting an anomaly threshold of 75, the rule triggers alerts for significant deviations in application assignments, allowing security teams to investigate rapidly. The analysis emphasizes the importance of understanding Okta's function and potential exploitation to ensure access is granted appropriately and security measures are upheld. It highlights the need for a thorough review of group assignment changes, investigation of user accounts involved, and correlation with other security alerts to address possible misuse effectively. The setup requires the Privileged Access Detection integration, along with Okta event logs, to function correctly, and detailed investigation steps are provided to facilitate a comprehensive approach to handling alerts and minimizing false positives.
Categories
- Identity Management
- Cloud
- Application
- Endpoint
Data Sources
- User Account
- Cloud Service
ATT&CK Techniques
- T1098
- T1068
- T1078
Created: 2025-02-18