Unexpected Okta API calls indicating Okta user profile modification
Description
AlphaSOC detected that an Okta user profile was modified. This activity involves changes to user attributes such as email addresses, phone numbers, location, or other personal information. Malicious actors may modify a user profile to facilitate account takeover, impersonate a legitimate user, or establish persistence within the environment.
Impact
Unauthorized user profile modifications can facilitate account compromise and potentially delay detection. This can lead to unauthorized access, data exfiltration, privilege escalation, or other malicious activities within the organization's systems and applications connected to Okta.
Severity
| Severity | Condition |
|---|---|
Informational | Okta user profile modified |
Low | Okta user profile modified in an unexpected way |
Medium | Okta user profile modified in a suspicious way |
Investigation and Remediation
Review the Okta System Log to identify the specific attributes that were modified, who made the changes, and verify whether the modifications were authorized. If unauthorized, immediately reset the affected user credentials, revert the profile modifications, enable multi-factor authentication if not already enabled, and conduct a thorough security audit of the environment for other indicators of compromise.