Skip to main content

Unexpected Okta API calls indicating Okta user profile modification

ID:okta_user_profile_modified_anomaly
Data type:Okta
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0003:T1078

Description

AlphaSOC detected that an Okta user profile was modified. This activity involves changes to user attributes such as email addresses, phone numbers, location, or other personal information. Malicious actors may modify a user profile to facilitate account takeover, impersonate a legitimate user, or establish persistence within the environment.

Impact

Unauthorized user profile modifications can facilitate account compromise and potentially delay detection. This can lead to unauthorized access, data exfiltration, privilege escalation, or other malicious activities within the organization's systems and applications connected to Okta.

Severity

SeverityCondition
Informational
Okta user profile modified
Low
Okta user profile modified in an unexpected way
Medium
Okta user profile modified in a suspicious way

Investigation and Remediation

Review the Okta System Log to identify the specific attributes that were modified, who made the changes, and verify whether the modifications were authorized. If unauthorized, immediately reset the affected user credentials, revert the profile modifications, enable multi-factor authentication if not already enabled, and conduct a thorough security audit of the environment for other indicators of compromise.