search

Okta

LogoOkta for Red Teamers — Perimeter EditionMediumchevron-right
LogoOkta for Red TeamersTrustedSecchevron-right
Logo0x00sec - The Home of the Hacker0x00sec - The Home of the Hackerchevron-right
https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/www.rezonate.iochevron-right
https://www.rezonate.io/blog/okta-threat-hunting-auditing-okta-logs-part-2/?utm_source=redditwww.rezonate.iochevron-right
LogoMaking Okta do keylogging for youPush Securitychevron-right

hashtag
Okta Events of Interest:

  • user.mfa.factor.activate - Active MFA factor (basically add device).

  • user.mfa.factor.deactivate - Remove MFA factor

  • user.account.reset_password - Reset password

  • user.session.start - Authentication attempt

  • device.user.add - Add MFA device (depends on factor).

  • user.authentication.sso - User clicks a tile in their assigned applications for SSO.

hashtag
Hunting MFA Devices:

Using device inventory to look for deactivated or active devices.

LogoDevices inventory | Okta Identity Enginehelp.okta.comchevron-right

hashtag
Entra ID:

  • MFA devices registered in Okta do NOT show up in Entra ID.

  • Successful Okta MFA logins do NOT show up as multifactor in sign-in logs.

  • Successful Okta MFA logins do NOT show up in AUDIT logs.

hashtag
Countermeasures:

hashtag
Secure Policies (Hardening):

hashtag
How Okta Works:

LogoUnderstanding WS-Federation: A modern primer for an obsolete protocolScott Bradychevron-right
LogoNews | The Comedy Theatrewww.vulongtran.comchevron-right
PreviousIdentity AppsNextMicrosoft

Last updated