惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
D
Darknet – Hacking Tools, Hacker News & Cyber Security
量子位
博客园 - 叶小钗
AI
AI
T
Tor Project blog
Forbes - Security
Forbes - Security
W
WeLiveSecurity
博客园_首页
爱范儿
爱范儿
J
Java Code Geeks
B
Blog
G
GRAHAM CLULEY
aimingoo的专栏
aimingoo的专栏
Cloudbric
Cloudbric
C
CXSECURITY Database RSS Feed - CXSecurity.com
TaoSecurity Blog
TaoSecurity Blog
L
LINUX DO - 热门话题
阮一峰的网络日志
阮一峰的网络日志
有赞技术团队
有赞技术团队
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
云风的 BLOG
云风的 BLOG
Google DeepMind News
Google DeepMind News
H
Help Net Security
博客园 - 三生石上(FineUI控件)
C
Cisco Blogs
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recent Commits to openclaw:main
Recent Commits to openclaw:main
博客园 - 司徒正美
The Last Watchdog
The Last Watchdog
Blog — PlanetScale
Blog — PlanetScale
T
The Blog of Author Tim Ferriss
S
Secure Thoughts
Spread Privacy
Spread Privacy
F
Fortinet All Blogs
月光博客
月光博客
大猫的无限游戏
大猫的无限游戏
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
A
About on SuperTechFans
Security Latest
Security Latest
Webroot Blog
Webroot Blog
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
Monitoring for Abuse of Administrative Privileges
Chris Niggel and Brett Winterford · 2022-10-25 · via Okta Security RSS Feed

All applications require a highly-privileged administrator role to deploy and maintain that application. The monitoring and oversight (audit) of actions performed by users with these roles is a cornerstone of any well-designed security program.

A number of research projects have highlighted ways in which the most privileged administrators in Okta could, if unchecked, abuse their privilege in some way. These research efforts serve to reinforce some long-held security principles: most notably the principle of “least privilege,” that a user or application should only have the permissions required to perform a specific role or function, and the principle of governance, where those responsible for holding privileged access are held to account for their actions.

Below we’ve presented some best practice advice on limiting, securing and monitoring administrative access to Okta.

Constrain Privileged Roles

Okta HealthInsight is a tool that prompts administrators to address misconfigurations or conditions identified in their Okta tenant (“org”). One HealthInsight reminder recommends limiting the number of highly privileged roles (“SuperAdmins”) in any given org.

The SuperAdmin role grants its user full privileges to all the powerful administrative capabilities Okta makes available to its customers. A SuperAdmin can manage users, policies, applications and administrative permissions and set org-level security configurations. Every new Okta org is provisioned an account with the ‘SuperAdmin’ role, and the SuperAdmin has the ability to create other admin roles using this account.

As our colleague Gurinder Bhatti recently blogged, with great power comes great responsibility. The majority of tasks an Okta administrator needs to perform do not require SuperAdmin access. For this reason, there are eight other standard admin roles in every Okta org that can be used to constrain administrator access. Your help desk admin doesn’t need the same rights as the admin that manages API access, for example.

As customer implementations of Okta grow larger and more complex, it creates a requirement to further align administrative capabilities with an individual’s role. To support this need, Okta developed Custom Admin Roles to allow organizations to set even more granular permissions within a role. So your helpdesk admin might, for example, only be granted permissions relevant to users within a specific functional unit (organization or group), a specific set of duties or specific applications and resources.

Delegated flows, meanwhile, provides administrators the ability to run (but not modify) specified Okta Workflows, without requiring SuperAdmin access.

Secure Admin Access

Given what an attacker with unauthorized access to highly privileged roles in Okta can do, admin access should be locked down according to the level of risk associated with how that role might be abused.

SuperAdmin roles should ideally make use of Privileged Access Management solutions that securely store and rotate ephemeral credentials.

Global Session Policies should enforce shorter session durations and idle timeouts for admins versus regular users.

While the permissions and resources available to any given admin role might vary, access to the Okta Admin Console would nearly always meet the NIST criteria for an AAL2+ and AAL3 application. At minimum, the total session for an admin would expire at 12 hours, with an idle timeout of no greater than 15-30 minutes.

Authentication Policies for access to the Admin Console should at a minimum require:

  • Phishing Resistant authenticators (select “Phishing Resistant” as a possession factor constraint) in a policy that requires any two factor types;

  • Access from a trusted network zone (using an allowlist of trusted IPs/ASNs);

  • Access from a registered or managed device (ideally a device exhibiting a strong security posture); and

  • Re-authentication “at every sign-in”.

We also recommend enabling the following features in Okta to prevent abuse of stolen administrative sessions:

Auditing and Monitoring Admin Access

As employees change roles throughout their employment, it is common that they also amass and retain privileged access to systems and data.

Organizations should perform periodic access reviews of admin role assignments and ensure that privileged access is appropriate for each individual. Okta offers an out-of-the-box report that provides a snapshot of all admin roles in use.

Outside of these pre-built reports, privileged access to Okta’s administrative functions can be monitored by security teams using Okta System Log. System Log events can be <a data-cke-saved-href=" />browsed, searched or filtered in the admin console, queried and filtered programmatically via the System Log API, and can be exported or streamed to third-party security monitoring tools.

Given there are over 700+ events emitted by System Log, it might seem exhausting to know where to begin monitoring or auditing this access.

There are a few ways to narrow it down. Keep in mind that most events in System Log follow a similar pattern:

<domain>, <resource>, <action>

So the following query returns events related to users:

eventType eq user.*

The next iteration on this query returns events related to user accounts:

eventType eq user.account*

And the following event returns user password resets:

eventType eq user.account.reset_password

With this structure in mind, below we’ve listed some search terms that could be useful when auditing administrative access.

Access to the Admin Console

All sign-ins to the Okta Admin Console create a unique system log event:

eventType eq "user.session.access_admin_app"

Sign-in events of interest might include events in which access to the Okta Admin Console is denied, especially where there are multiple failure events.

Similarly, you might be interested in access to the Okta Admin Console from a new device or IP or access that triggers a velocity condition (aka “impossible travel”).

(NB: both of the detections below assume that the displayName for the Okta Admin Console has not been modified by administrators.)

Event

Query in Okta Identity Engine

Access to Admin Console denied

eventType eq "user.session.access_admin_app" AND outcome.result eq "FAILURE"

User Denied Access due to ASN/IP Session Binding

eventType eq "security.session.detect_client_roaming"

Request to access Admin Console from new device or IP

eventType eq "policy.evaluate_sign_on" and target.displayName eq "Okta Admin Console" and ((debugContext.debugData.behaviors co "New Device=POSITIVE" and debugContext.debugData.behaviors co "New IP=POSITIVE") OR (debugContext.debugData.logOnlySecurityData co "\"New Device\":\"POSITIVE\"" or debugContext.debugData.logOnlySecurityData co "\"New IP\":\"POSITIVE\""))

Request to access Admin Console that triggers a Velocity condition

eventType eq "policy.evaluate_sign_on" and target.displayName eq "Okta Admin Console" and ((debugContext.debugData.behaviors co "Velocity=POSITIVE") OR (debugContext.debugData.logOnlySecurityData co "\"Velocity\":\"POSITIVE\""))

Privilege Assignment

An audit of administrator privileges should consider what privileges have been assigned to different admins or groups of admins. Any eventType that ends with “privilege.grant” will cover privileges granted to both individual admins and groups of admins.

Event

System Log Query

Assignment of admin privileges or resources to a new user or group.

eventType ew "privilege.grant"

User Lifecycle Events

Querying an event that contains the string “lifecycle” provides a fairly comprehensive view of user lifecycle events triggered by administrative actions.

Event

System Log Query

User lifecycle events initiated by admin

eventType co "lifecycle"

At the org-wide level, this query includes lifecycle events for external IdPs and authenticators, down to devices and authenticators configured at the level of the individual user. Some more granular queries for specific categories of lifecycle events are presented below:

Event

System Log Query

Creating, activating, updating or deleting an Identity Provider.

eventType sw "system.idp"

Creating, activating, updating or deleting an Authenticator/Factor (org-wide).

eventType sw "security.authenticator" OR eventType sw "device.push.provider"

A reset, update or suspension of a user’s authenticator.

eventType sw "user.mfa.factor"

Admin initiated activation, deactivation, deletion or suspension of a user’s registered device.

eventType sw "device.lifecycle"

Policy Change Events

A search for events that contain the word “lifecycle” list include most changes made to an Okta signin policy. Changes to rules within policies aren’t necessarily captured by that query. The query below captures a range of events related to changing access policies.

Event

System Log Query

An Okta Sign-In Policy, or a rule within it, is created, updated or deleted by an Admin

eventType sw "policy.lifecycle" OR eventType sw "policy.rule" OR eventType sw "app.policy"

Other Configuration Changes

There are a number of org-wide configuration events in Okta’s Event Catalog that are just as critical for monitoring and auditing purposes. Changes to network zones or device management platforms, for example, can result in a loss of access for large numbers of users.

Event

System Log Query

Creating, updating or revoking an API Access Token

eventType sw "system.api"

Creating, updating or deleting a network zone, or adding/removing it from a denylist.

eventType co "zone"

Adding, updating or deleting a device management platform

eventType co "device.platform"

Updating, disabling or changing the network zones evaluated by ThreatInsight

eventType eq "security.threat.configuration.update"

A user’s Okta attributes or password pushed/synchronized to an external application via SCIM

eventType sw "application.provision.user*"

Creating a new SWA App

eventType eq "application.lifecycle.create" AND debugContext.debugData.requestUri eq "/api/internal/orgadmin/apps/swa"

Creating a new AD/LDAP sync agent

eventType eq "system.agent.ad.create"

Creating, activating, deactivating or deleting a Log Stream

eventType sw "system.log_stream"

You’ll find a larger set of admin-relevant event types in the Event Type Catalog.

Trusting privileged users is a necessary risk for any application, and the security best practices of least privilege, strong authentication, and activity monitoring provide you with the tools you need to verify actions and mitigate this risk. Okta provides robust solutions to address these requirements. It’s worth noting that all of the events listed above can trigger a custom Okta Workflow (either through a connector event card or an event hook), such that admins can automate responses to events of interest.

By adding the controls detailed here into your security program, you can ensure your administrators have appropriate access, and are using that access to protect your organization.

Change Log

1.1 - Mar 8, 2024

  • Updated recommendations to include new features released as part of Okta Secure Identity Commitment: Protected Actions, ASN/IP Session Binding.

  • Updated detections section to include System Log event for for an authentication failure arising from session binding.

1.0 - Oct 25, 2022

  • Original Published

Chris is the Regional CSO, Americas at Okta, where he is responsible for corporate security compliance, third-party risk, and responding to customer security inquiries. Prior to Okta, Chris spent 6 years leading the adoption of Cloud Technologies at LinkedIn, helping them grow from 350 to over 6,800 employees. He started his career designing, developing, and delivering content management, system administration, and messaging solutions for customers such as Nestle, Cisco, AMD, Telus, and the US Department of Defense. He is also an active member of the Northern California ski community, where he volunteers with the Tahoe Backcountry Ski Patrol performing search & rescue, and teaching ski mountaineering & outdoor survival.

Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity.
Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.