Detection Engineering for Okta and Entra ID

The modern cybersecurity landscape unequivocally positions identity as both the new perimeter and, regrettably, the new crime scene. With an ever-increasing shift to cloud-native applications and remote workforces, the traditional network-centric defenses have become less relevant. Adversaries have adapted, focusing their efforts on compromising and abusing identity infrastructure to gain persistence, escalate privileges, and extract sensitive data. This strategic pivot by attackers necessitates a corresponding evolution in defensive capabilities, placing identity threat detection at the forefront of a robust security posture. Organizations leveraging leading Identity and Access Management (IAM) solutions such as Okta and Microsoft Entra ID (formerly Azure Active Directory) must prioritize sophisticated detection engineering to effectively counter these advanced identity-based threats.

Five Detections to Ship This Week

To effectively counteract the identity-centric attacks observed in current threat intelligence and incident response engagements, security teams must deploy specific, high-fidelity detections. The following five detection rules are critical investments that organizations using Okta and Entra ID should implement immediately, as they target common and impactful adversary tactics.

1. New Device + New Country Within a Session

This detection identifies an anomalous and highly suspicious activity pattern indicative of a potential session hijacking or credential reuse attempt. It triggers when an active user session, established from a recognized device or originating country, suddenly presents activity from an entirely new and previously unseen device and/or a new geographical location within a very short timeframe. Such a rapid change in context is extremely unusual for legitimate user behavior and often signals that an attacker has gained access to a user's session token or credentials and is attempting to bypass existing controls. Implementing this requires correlating session data from identity logs with geolocation and device fingerprinting information.

2. MFA Factor Enrollment from an Unmanaged Device

One of the most concerning identity-based attacks involves attackers enrolling their own Multi-Factor Authentication (MFA) devices onto a compromised account. This detection specifically targets the scenario where a new MFA factor is enrolled (e.g., a new FIDO2 key, an authenticator app, or SMS number) from a device that is not recognized or managed by the organization's Endpoint Detection and Response (EDR) or Mobile Device Management (MDM) solutions. Adversaries often register their own MFA devices after gaining initial access via phishing or credential stuffing, establishing a persistent back door that bypasses legitimate MFA prompts. This detection requires integration between IAM logs and enterprise device inventory systems.

3. OAuth App Grants for Sensitive Scopes (Mail.Read, Files.Read.All)

The abuse of OAuth applications and their associated permissions is a growing attack vector, particularly within Microsoft 365 environments integrated with Entra ID. This detection monitors for new or modified OAuth application consents or grants that explicitly request highly sensitive permissions or "scopes," such as Mail.Read, Mail.Read.Shared, Files.Read.All, or Directory.Read.All. While legitimate applications require these permissions, an attacker who has compromised an administrator account can surreptitiously grant these broad permissions to a malicious OAuth application they control, thereby creating persistent access to vast amounts of organizational data without directly interacting with the user's account. Scrupulous review and alerting on these specific, high-impact scopes are essential.

4. Admin Role Assignment Outside Change Windows

Privilege escalation is a primary goal for attackers once they gain initial access. This detection focuses on monitoring assignments of administrative roles or highly privileged group memberships within Okta or Entra ID that occur outside of documented or expected change management windows. Organizations typically have strict procedures and designated timeframes for making significant permission changes to critical systems. An administrative role assignment occurring late at night, on a weekend, or during a holiday period, especially if initiated by an account that doesn't typically perform such actions, is a strong indicator of unauthorized activity and potential privilege escalation by an adversary.

5. Legacy Authentication Attempts After Deprecation

Many organizations are actively working to disable or deprecate legacy authentication protocols (e.g., Basic Authentication, older versions of Exchange ActiveSync) due to their inherent insecurity and inability to enforce modern security controls like MFA. This detection specifically looks for any attempt to authenticate using these deprecated legacy protocols after they have been officially removed or disabled within the IAM platform. The continued presence of such attempts signals either a misconfigured client, a shadow IT component, or more commonly, a persistent attacker attempting to exploit older, less secure pathways to bypass modern defenses that legitimate users are forced to use. Detecting these attempts is critical, even if the attempts are blocked, as they provide insight into adversary tactics and potential policy bypass attempts.

These five identity detections, when properly implemented and tuned, provide a formidable defense against some of the most prevalent and damaging identity-based attacks observed today. Prioritizing their deployment is not merely a recommendation; it is a critical requirement for organizations to safeguard their digital assets in an identity-centric threat landscape.