Okta API calls indicating application sign on policy modification
Description
AlphaSOC detected modifications to the sign-on policy of an Okta application. Sign-on policies control authentication requirements and access conditions for Okta-integrated applications. While policy modifications may be part of routine administrative tasks, changes to these policies could indicate an attempt to weaken security controls.
Impact
Unauthorized modifications to Okta sign-on policies can weaken authentication requirements, potentially allowing adversaries to bypass security controls. Rule deletions are particularly concerning as they can completely remove MFA enforcement, conditional access restrictions, or device trust requirements. These changes could enable adversaries to gain unauthorized access to sensitive applications and move laterally, escalate privileges, or exfiltrate data.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, or user agent |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review Okta system logs to identify the user who made the policy changes and the specific modifications that occurred. Verify whether the changes were authorized through change management processes. If the changes were unauthorized, revert the policy changes to restore security controls, rotate affected credentials, and audit user permissions. Implement enhanced monitoring and approval workflows for sign-on policy changes.