Okta

Okta for Red Teamers — Perimeter Editionnickvangilder

Okta for Red TeamersTrustedSec

The Dilemma of Attacking Okta, Red Team Operations0x00sec - The Home of the Hacker

Okta Logs Decoded: Unveiling Identity Threats Through Threat Hunting - RezonateRezonate

Okta Threat Hunting: Auditing Okta Logs | RezonateRezonate

Okta Events of Interest:

user.mfa.factor.activate - Active MFA factor (basically add device).
user.mfa.factor.deactivate - Remove MFA factor
user.account.reset_password - Reset password
user.session.start - Authentication attempt
device.user.add - Add MFA device (depends on factor).
user.authentication.sso - User clicks a tile in their assigned applications for SSO.

Hunting MFA Devices:

Using device inventory to look for deactivated or active devices.

Devices inventory | Okta

Entra ID:

MFA devices registered in Okta do NOT show up in Entra ID.
Successful Okta MFA logins do NOT show up as multifactor in sign-in logs.
Successful Okta MFA logins do NOT show up in AUDIT logs.

Countermeasures:

Secure Policies (Hardening):

How Okta Works:

Understanding WS-Federation: A modern primer for an obsolete protocolScott Brady

How to set up SSO for Microsoft Office 365 with Okta

PreviousIdentity Apps NextMicrosoft

Last updated 8 months ago