Suspicious Okta API calls indicating user creation
Description
AlphaSOC detected that a new user was created in Okta. This detection identifies when a new user account is created within your Okta organization. While user creation is a routine administrative activity, unauthorized user creation could indicate that threat actors are attempting to establish persistence within your environment.
Impact
Unauthorized user creation in Okta can provide adversaries with legitimate credentials to access applications and services integrated with your Okta organization. This could lead to unauthorized access to sensitive data, lateral movement across connected systems, or potential privilege escalation if the created account is assigned significant permissions.
Severity
| Severity | Condition |
|---|---|
Informational | Okta user created |
Low | Unexpected Okta API calls indicating Okta user creation |
Medium | Suspicious Okta API calls indicating Okta user creation |
Investigation and Remediation
Review the Okta System Log to verify whether the user creation was authorized according to your organization's policies. Check who performed the action and whether it aligns with expected administrative activities. If the creation was unauthorized, promptly disable the newly created user account, reset credentials of the account that performed the creation, and investigate for additional suspicious activities in your environment that might indicate a broader compromise.