Rules: Okta Account Primary Email Address Update

Description

An Okta accounts primary email address has been updated. An adversary may modify an Okta accounts email address to evade detection by users or to gather information about the organization and establish persistence through credential resets.

Additional Details

Detail	Value
Type	Templated Match
Category	Collection
Apply Risk to Entities	user_username, srcDevice_ip
Signal Name	Okta Account Primary Email Address Update
Summary Expression	Primary email address changed for user {{user_username}}
Score/Severity	Static: 3
Enabled by Default	True
Prototype	False
Tags	_mitreAttackTactic:TA0009, _mitreAttackTechnique:T1114.002, _mitreAttackTactic:TA0003, _mitreAttackTechnique:T1098

Vendors and Products

Okta - Single Sign-On

Fields Used

Origin	Field
Normalized Schema	metadata_deviceEventId
Normalized Schema	metadata_product
Normalized Schema	metadata_vendor
Normalized Schema	srcDevice_ip
Normalized Schema	user_username

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MATCH-S00769.md

MATCH-S00769.md

Rules: Okta Account Primary Email Address Update

Description

Additional Details

Vendors and Products

Fields Used

Files

MATCH-S00769.md

Latest commit

History

MATCH-S00769.md

File metadata and controls

Rules: Okta Account Primary Email Address Update

Description

Additional Details

Vendors and Products

Fields Used