Okta

Okta for Red Teamers — Perimeter Editionnickvangilder

Okta for Red TeamersTrustedSec

The Dilemma of Attacking Okta, Red Team Operations0x00sec - The Home of the Hacker

Okta Logs Decoded: Unveiling Identity Threats Through Threat Hunting - RezonateRezonate

Okta Threat Hunting: Auditing Okta Logs | RezonateRezonate

Making Okta do keylogging for youPush Security

Okta Events of Interest:

• user.mfa.factor.activate - Active MFA factor (basically add device).

• user.mfa.factor.deactivate - Remove MFA factor

• user.account.reset_password - Reset password

• user.session.start - Authentication attempt

• device.user.add - Add MFA device (depends on factor).

• user.authentication.sso - User clicks a tile in their assigned applications for SSO.

Hunting MFA Devices:

Using device inventory to look for deactivated or active devices.

Devices inventory | Okta

Entra ID:

• MFA devices registered in Okta do NOT show up in Entra ID.

• Successful Okta MFA logins do NOT show up as multifactor in sign-in logs.

• Successful Okta MFA logins do NOT show up in AUDIT logs.

Countermeasures:

Secure Policies (Hardening):

How Okta Works:

Understanding WS-Federation: A modern primer for an obsolete protocolScott Brady

How to set up SSO for Microsoft Office 365 with Okta