agentskills.codes
OK

okta-identity

Okta identity platform detection guidance — System Log event schema (eventType taxonomy, actor/target/outcome structure), session token mechanics, authentication flows (FastPass, FIDO2, delegated auth), admin API abuse patterns, ThreatInsight signals, Okta-to-Entra federation trust chains, and Okta-

Install

mkdir -p .claude/skills/okta-identity && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/17154" && unzip -o skill.zip -d .claude/skills/okta-identity && rm skill.zip

Installs to .claude/skills/okta-identity

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Okta identity platform detection guidance — System Log event schema (eventType taxonomy, actor/target/outcome structure), session token mechanics, authentication flows (FastPass, FIDO2, delegated auth), admin API abuse patterns, ThreatInsight signals, Okta-to-Entra federation trust chains, and Okta-specific attack patterns (cross-tenant impersonation, HAR file session theft, MFA factor reset abuse, inbound federation hijacking). Use for identity-focused detections targeting Okta telemetry ingested into SIEMs.
514 chars✓ has a “when” triggerlonger than Claude Code's old 250-char listing cap (fine on current versions)

About this skill

Okta Identity — detection authoring

Okta is a major non-Microsoft identity platform with its own telemetry schema, attack surface, and detection patterns. This skill covers the platform internals needed to write detections against Okta System Log events, regardless of which SIEM ingests them.

Not to be confused with entra-id (Microsoft Entra ID) or identity-providers (cross-vendor identity mechanics).


1. System Log event schema

Every Okta event follows a consistent JSON structure:

FieldTypeDetection use
eventTypestringPrimary event classifier. Hierarchical dot-notation (e.g. user.session.start).
actorobjectWho performed the action. Contains id, type, alternateId (email), displayName.
target[]arrayWhat was acted upon. Array of objects with id, type, alternateId, displayName. Search by type, not array position — target order is not guaranteed.
outcomeobjectresult (SUCCESS, FAILURE, SKIPPED, UNKNOWN) + reason string.
clientobjectClient context: userAgent, zone, device, ipAddress, geographicalContext.
authenticationContextobjectauthenticationProvider, credentialType, externalSessionId, interface.
securityContextobjectisProxy (boolean), asNumber, asOrg, isp, domain. IP reputation context.
debugContext.debugDataobjectUnstable but valuable: requestUri, dtHash, threatSuspected, logOnlySecurityData, behaviors.
transactionobjectid (correlation key), type (WEB or JOB), detail.requestApiTokenId (API token used).
publishedISO 8601Event timestamp.
severityenumDEBUG, INFO, WARN, ERROR.
uuidstringUnique event identifier.

Key eventType taxonomy

CategoryeventType patternExamples
Authenticationuser.session.*user.session.start, user.session.end
MFAuser.authentication.auth_via_mfaMFA challenge result
MFA factor lifecyclesystem.mfa.factor.*system.mfa.factor.activate, system.mfa.factor.deactivate, user.mfa.factor.reset_all
User lifecycleuser.lifecycle.*user.lifecycle.create, user.lifecycle.activate, user.lifecycle.suspend, user.lifecycle.deactivate
Passworduser.credential.*user.credential.password.update, user.credential.forgot_password
App accessuser.authentication.ssoSSO into an application
Admin actionsuser.account.*user.account.privilege.grant, user.account.update_profile
Policy changespolicy.lifecycle.*policy.lifecycle.create, policy.lifecycle.update, policy.lifecycle.delete
IdP lifecyclesystem.idp.lifecycle.*system.idp.lifecycle.create, system.idp.lifecycle.update
API tokensystem.api_token.*system.api_token.create, system.api_token.revoke
Group membershipgroup.user_membership.*group.user_membership.add, group.user_membership.remove
Suspicious activityuser.account.report_suspicious_activity_by_enduserEnd-user reported suspicious activity
Rate limitingsystem.org.rate_limit.*Rate limit warnings and violations

2. Authentication flows

Standard sign-in flow

User → Okta sign-in page → Primary auth (password/IWA/delegated)
  → MFA challenge (push/TOTP/FIDO2/FastPass)
  → Session token issued → SSO to applications

Delegated authentication

When Okta delegates to Active Directory, the authenticationContext.authenticationProvider is ACTIVE_DIRECTORY and credentialType is IWA or LDAP_INTERFACE. The password is validated by AD, not Okta — Okta cannot detect password spray against delegated auth directly.

FastPass (Okta Verify device-bound)

FastPass is Okta's phishing-resistant authenticator. Key detection signal: user.authentication.auth_via_mfa with outcome.reason eq "FastPass declined phishing attempt" — this fires when FastPass detects an AiTM proxy.

Device code flow

eventType eq "user.authentication.auth_via_mfa" with authenticationContext.credentialType eq "DEVICE_CODE". Monitor for abuse — device code phishing is a growing attack vector.


3. Attack patterns

3.1 Cross-tenant impersonation (Scattered Spider pattern)

The most significant Okta-specific attack pattern. Flow:

  1. Social engineer IT help desk to reset MFA for a Super Administrator
  2. Enrol attacker-controlled MFA factors
  3. Create a second Identity Provider (inbound federation)
  4. Manipulate username parameter in source IdP to impersonate target users
  5. SSO into applications as any user

Detection signals:

StageSystem Log queryNotes
MFA factor reseteventType eq "user.mfa.factor.reset_all"Alert on any all-factor reset for admin accounts
New IdP createdeventType eq "system.idp.lifecycle.create"Critical — should be extremely rare
IdP modifiedeventType sw "system.idp.lifecycle"Broader — catches create + update + delete
Auth via external IdPeventType eq "user.authentication.auth_via_IDP"Alert if org doesn't use inbound federation
Admin privilege granteventType eq "user.account.privilege.grant"Privilege escalation

3.2 Session token theft (HAR file exfiltration)

Okta session tokens stolen from HAR files (browser network recordings shared with support). The externalSessionId in authenticationContext is the session correlation key.

Detection: Alert on session reuse from a different IP/ASN than the original authentication:

  • Correlate externalSessionId across events
  • Flag when client.ipAddress or securityContext.asNumber changes mid-session

3.3 MFA fatigue / push bombing

Repeated MFA push notifications to exhaust the user into approving.

Detection: eventType eq "user.authentication.auth_via_mfa" with outcome.result eq "FAILURE" — count failures per user per time window. Threshold: >5 failures in 10 minutes.

3.4 Admin API token abuse

API tokens provide persistent access without MFA. Stolen tokens enable silent admin operations.

Detection signals:

  • eventType eq "system.api_token.create" — new token creation
  • transaction.detail.requestApiTokenId present in events — identifies API-driven actions
  • Correlate API token usage with client.ipAddress — flag novel IPs

3.5 Policy weakening

Attacker modifies authentication policies to remove MFA requirements or weaken session controls.

Detection: eventType sw "policy.lifecycle" — alert on any policy modification, especially:

  • policy.rule.update where MFA requirements are removed
  • policy.lifecycle.delete for authentication policies

4. ThreatInsight and behavioural signals

Okta ThreatInsight provides pre-built threat detection signals available in the System Log.

SignaleventType / fieldDetection use
Credential stuffingsecurity.threat.detected with debugContext.debugData.threatSuspectedAutomated credential attacks against the org
Password spraysecurity.threat.detectedDistributed password guessing
Suspicious IPsecurityContext.isProxy = trueTraffic from anonymising proxies, VPNs, Tor
Brute force lockoutuser.account.lockAccount locked due to repeated failures
Anomalous locationdebugContext.debugData.behaviors containing New Geo-LocationSign-in from unusual geography
Anomalous devicedebugContext.debugData.behaviors containing New DeviceSign-in from unrecognised device
Suspicious activity reportuser.account.report_suspicious_activity_by_enduserEnd-user self-reported compromise

debugContext.debugData.behaviors is a JSON string containing Okta's behavioural analysis. Parse it to extract individual signals. Note: debugContext fields are unstable and may change between releases.


5. Okta Workflows and automation abuse

Attack vectoreventTypeDetection signal
Workflow creationsystem.workflow.createNew automation — check for data exfiltration flows
Workflow modificationsystem.workflow.updateChanged automation — may add malicious steps
Workflow with external connectorsystem.workflow.create / updateConnector to external service (Slack, email, HTTP) — data exfiltration channel
Workflow executionsystem.workflow.executeAutomated action triggered — correlate with workflow definition

Risk: Okta Workflows can automate user provisioning, group membership changes, and external API calls. An attacker with admin access can create workflows that silently exfiltrate data or maintain persistence.


6. OAuth app and integration abuse

Attack vectoreventTypeDetection signal
App integration createdapp.lifecycle.createNew app integration — potential OAuth consent phishing
App assigned to user/groupapp.user_membership.add / group.application.assignment.addApp access granted — check if app is legitimate
OAuth scope grantapp.oauth2.consent.grantOAuth consent granted — check scope breadth
App credentials rotatedapp.credential.updateApp secret changed — potential credential theft
SAML certificate changeapp.credential.update (SAML app)Signing certificate changed — potential Golden SAML setup

Risk: Attackers can create rogue app integrations to harvest OAuth tokens, or modify existing SAML app certificates to forge assertions.


7. SIEM ingestion patterns

Column/field names vary by SIEM and connector version. Consult your SIEM's Okta integration documentation for exact field mappings.

Okta native fieldTelemetry typeIngestion methodNotes
System Log eventsIdentity audit lo

Content truncated.

Search skills

Search the agent skills registry