Okta Incident Response Playbook

A generic security incident response playbook for investigating and responding to potential compromises of Okta's internal systems, in the context of a customer or partner of Okta that uses their platform.

Investigate

Action Item	Event Types to Analyze
Review Okta System logs for unusual "Impersonation" events	user.session.impersonation.grant user.session.impersonation.initiated
Review Okta system logs for unusual "Reset Password" events	user.account.reset_password
Review Okta System logs for unusual "Reset Multifactor" events	user.mfa.factor.update system.mfa.factor.deactivate user.mfa.attempt_bypass
Search email system logs for notifications about "Reset Password" and "Reset Multifactor" events and correlate them with corresponding Okta events analyzed based on playbook steps listed above. NOTE: In the event an attacker was able to tamper with Okta's system logs, this will provide independent validation about when and for whom these events occurred.
Review Okta System logs for unusual changes to Multifactor Authentication policies that would make it easier for an attacker to persist access with compromised credentials (e.g. policy deletions, user exceptions, etc.)

If AWS is integrated with Okta SSO (example)

• Identify all IAM Users and associated active IAM keys used for Okta SSO AWS integration
• Search AWS CloudTrail logs for unusual activity associated with IAM permissions granted to IAM Users used for Okta SSO integration

References

• eshlomo1's Microsoft Sentinel 4 SecOps Okta Events of Interest
• Okta System Log Event Types

Mitigate

If AWS is integrated with Okta SSO (example)

• Rotate IAM keys used for Okta SSO integration
• Apply IP address allowlist rules to IAM policies used by IAM principals (AWS guide) (Okta IP allowlist)