Okta password extraction via SCIM
Description
AlphaSOC detected suspicious SCIM (System for Cross-domain Identity Management) API activity that may indicate an attempt to extract user credentials or sensitive identity information. SCIM is a protocol used for automating user provisioning and synchronization between identity providers and applications. Threat actors may exploit SCIM endpoints to extract password hashes, security questions, or other credential-related data that could facilitate account compromise and lateral movement within the organization.
Impact
This activity could potentially indicate that an adversary has exploited the SCIM API to extract user passwords or other sensitive credentials. If successful, this could lead to unauthorized access to multiple user accounts, applications, and services. The extracted credentials could later be used for unauthorized access to sensitive resources, data exfiltration, or establishing persistent access to your environment.
Severity
| Severity | Condition |
|---|---|
Informational | Okta password extraction via SCIM |
Investigation and Remediation
Review Okta system logs and verify whether the SCIM activity originated from authorized applications or IP addresses. If unauthorized access is suspected, reset any potentially compromised credentials, enable multi-factor authentication if not already active, and review all integrated applications with SCIM access permissions for signs of compromise.