Skip to main content

Suspicious Okta API calls indicating Okta user creation

ID:okta_user_created_suspicious
Data type:Okta
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0003:T1078.004

Description

AlphaSOC detected that a new user was created in Okta. This detection identifies when a new user account is created within your Okta organization. While user creation is a routine administrative activity, unauthorized user creation could indicate that threat actors are attempting to establish persistence within your environment.

Impact

Unauthorized user creation in Okta can provide adversaries with legitimate credentials to access applications and services integrated with your Okta organization. This could lead to unauthorized access to sensitive data, lateral movement across connected systems, or potential privilege escalation if the created account is assigned significant permissions.

Severity

SeverityCondition
Informational
Okta user created
Low
Unexpected Okta API calls indicating Okta user creation
Medium
Suspicious Okta API calls indicating Okta user creation

Investigation and Remediation

Review the Okta System Log to verify whether the user creation was authorized according to your organization's policies. Check who performed the action and whether it aligns with expected administrative activities. If the creation was unauthorized, promptly disable the newly created user account, reset credentials of the account that performed the creation, and investigate for additional suspicious activities in your environment that might indicate a broader compromise.