Detection rules › Panther
Okta Identity Provider Created or Modified
A new 3rd party Identity Provider has been created or modified. Attackers have been observed configuring a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1199 Trusted Relationship |
| Persistence | T1098 Account Manipulation, T1556 Modify Authentication Process |
| Credential Access | T1556 Modify Authentication Process |
Rule body yaml
AnalysisType: rule
Filename: okta_idp_create_modify.py
RuleID: "Okta.Identity.Provider.Created.Modified"
DisplayName: "Okta Identity Provider Created or Modified"
Enabled: true
LogTypes:
- Okta.SystemLog
Reports:
MITRE ATT&CK:
- TA0006:T1556 # Modify Authentication Process
- TA0001:T1199 # Trusted Relationship
- TA0003:T1098 # Account Manipulation
Severity: High
Description: >
A new 3rd party Identity Provider has been created or modified.
Attackers have been observed configuring a second Identity Provider to act as an "impersonation app"
to access applications within the compromised Org on behalf of other users. This second Identity Provider,
also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship
(sometimes called “Org2Org”) with the target.
Runbook: |
Delegate access to this feature to a Custom Admin Role with the minimum required permissions.
Constrain these roles to groups that exclude highly privileged administrators.
Reference: >
https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
DedupPeriodMinutes: 30
Threshold: 1
Tests:
- ExpectedResult: false
Log:
actor:
alternateId: homer.simpson@duff.com
displayName: Homer Simpson
id: 00abc123
type: User
authenticationcontext:
authenticationStep: 0
externalSessionId: 100-abc-9999
client:
device: Computer
geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ipAddress: 1.3.2.4
userAgent:
browser: CHROME
os: Mac OS X
rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
zone: "null"
debugcontext:
debugData:
requestId: AbCdEf12G
requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors
url: /api/v1/users/AbCdEfG/lifecycle/reset_factors?
displaymessage: Authentication of user via MFA
eventtype: user.authentication.auth_via_mfa
legacyeventtype: core.user.factor.attempt_fail
outcome:
result: SUCCESS
published: "2022-06-22 18:18:29.015"
request:
ipChain:
- geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ip: 1.3.2.4
version: V4
securitycontext:
asNumber: 701
asOrg: verizon
domain: verizon.net
isProxy: false
isp: verizon
severity: INFO
target:
- alternateId: peter.griffin@company.com
displayName: Peter Griffin
id: 0002222AAAA
type: User
transaction:
detail: {}
id: ABcDeFgG
type: WEB
uuid: AbC-123-XyZ
version: "0"
Name: Other Event
- ExpectedResult: true
Log:
actor:
alternateId: homer.simpson@duff.com
displayName: Homer Simpson
id: 00abc123
type: User
authenticationcontext:
authenticationStep: 0
externalSessionId: 100-abc-9999
client:
device: Computer
geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ipAddress: 1.3.2.4
userAgent:
browser: CHROME
os: Mac OS X
rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
zone: "null"
debugcontext:
debugData:
requestId: AbCdEf12G
requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors
url: /api/v1/users/AbCdEfG/lifecycle/reset_factors?
displaymessage: Authentication of user via MFA
eventtype: system.idp.lifecycle.create
legacyeventtype: core.user.factor.attempt_fail
outcome:
result: SUCCESS
published: "2022-06-22 18:18:29.015"
request:
ipChain:
- geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ip: 1.3.2.4
version: V4
securitycontext:
asNumber: 701
asOrg: verizon
domain: verizon.net
isProxy: false
isp: verizon
severity: INFO
target:
- alternateId: peter.griffin@company.com
displayName: Peter Griffin
id: 0002222AAAA
type: User
transaction:
detail: {}
id: ABcDeFgG
type: WEB
uuid: AbC-123-XyZ
version: "0"
Name: FastPass Phishing Block Event
Detection logic
Condition
eventType contains "system.idp.lifecycle"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventType | contains |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
event_type | eventtype |
severity | |
actor | |
client | |
request | |
outcome | |
target | |
debug_context | debugcontext |
authentication_context | authenticationcontext |
security_context | securitycontext |
ips | p_any_ip_addresses |
displayName | actor.displayName |
alternateId | actor.alternateId |
displayName | target.displayName |