Unexpected Okta API calls indicating application modification
Description
AlphaSOC detected that an Okta application was updated or deleted. While application changes may be part of routine maintenance or SSO integration updates, threat actors may modify or delete applications to disrupt business operations, remove user access, or weaken authentication mechanisms.
Impact
Unauthorized changes to Okta applications can disrupt user access to critical business systems and affect business continuity. Modifications may weaken security controls by altering authentication requirements, enabling phishing attacks through malicious redirect URIs, or extending unauthorized session access via modified token lifetimes. Application deletions can completely remove access to integrated services, causing immediate operational disruption.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, or user agent |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review Okta system log entries to identify the user account, IP address, and specific application that was modified or deleted. Compare these changes against approved change management records. If unauthorized changes are identified, revert the application to its previous configuration or recreate it with approved settings. Rotate affected credentials and audit user permissions. Implement strict change control processes and enhanced monitoring for Okta application modifications.