BIPI
BIPI

Okta Incident Response Runbook: System Log, Factor Forensics, and Downstream SP Mapping

Cybersecurity

A practitioner Okta IR playbook covering System Log queries, session revocation, App Assignment audit, MFA factor review, ThreatInsight policy review, OAuth scope checks, and downstream service provider impact.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 14, 2024 · 8 min read

#okta#identity#ir

Okta is the front door. An Okta incident is a multi-app incident by definition. The runbook below assumes Workforce Identity tenant with System Log access and the Okta API token reserved for IR work, scoped read-only to identity admin.

1. The System Log query

The System Log API is the single source of truth. The events that matter during IR cluster around user.session.start, user.authentication.auth_via_mfa, user.account.update_password, user.mfa.factor.activate, system.api_token.create, application.user_membership.add, and policy.evaluate_sign_on.

GET /api/v1/logs?filter=actor.alternateId+eq+%22alex@contoso.com%22&since=2024-05-25T00:00:00Z&sortOrder=ASCENDING

Stream the events to JSONL and pivot. The Okta event JSON is rich: each entry includes client, debugContext, outcome, securityContext (asn, isp, isProxy), and target. SecurityContext.isProxy=true with a successful auth is a red flag.

2. Session revocation and the kill switch

Use clearUserSessions to terminate all active sessions for the user. Then suspend the user. Order matters: clear sessions first so any active SAML or OAuth session at downstream apps is broken, then suspend so they cannot start a new one.

POST /api/v1/users/{userId}/sessions then POST /api/v1/users/{userId}/lifecycle/suspend

Okta session revocation does not invalidate already-issued downstream tokens. That is a downstream problem we cover in section 6.

3. App assignment audit

List the user's app assignments. For each app, check whether the assignment was direct or group-based, and when it was made. An assignment added during the compromise window is a persistence step.

Application.user_membership.add events in the System Log tell you who added the assignment. If the actor is the compromised user themselves and they had self-service group membership rights, the attacker may have used the user's own permissions to grant new app access.

4. MFA factor forensics

MFA factor manipulation is the underestimated Okta persistence mechanism. The attacker enrolls a new factor on a device they control, often a phone or YubiKey, and the user often does not notice.

  • user.mfa.factor.activate events show new factor enrollments with the factor type and provider.
  • user.mfa.factor.deactivate events show removed factors; attackers sometimes remove legitimate factors to force the user to a recovery flow they control.
  • user.mfa.factor.update_phone events show phone number changes for SMS factors.

Any factor activated in the compromise window gets removed via DELETE /api/v1/users/{userId}/factors/{factorId}. Then run /reset_factors and have the user re-enroll from a verified device with the IT team present.

5. ThreatInsight and policy evaluation

ThreatInsight maintains a global feed of malicious IPs. Check whether your tenant policies block or audit ThreatInsight-flagged sources. The policy.evaluate_sign_on events show which sign-on policy was evaluated and whether ThreatInsight contributed to the decision.

If the attacker logged in from a ThreatInsight-flagged IP and the policy allowed it, that is a policy gap to close. Move to deny mode, or at least step-up MFA, for ThreatInsight-flagged sources.

6. Downstream service provider impact mapping

This is the part most teams underestimate. Okta revocation does not propagate to downstream apps automatically. For each app the user accessed, you need a separate revocation action.

  • M365: revoke refresh tokens via Graph API revokeSignInSessions.
  • Google Workspace: signOut via Directory API.
  • Salesforce: revoke OauthToken records for the user.
  • AWS via SAML: invalidate the SAML session indirectly by rotating the IAM role's trust policy or revoking active sessions on the assumed role.
  • Slack: admin.users.session.reset.
  • GitHub: revoke SSO sessions and tokens at the org level.
90 days
System Log retention default
Unlimited
With log streaming to SIEM
6 hrs
Median Okta+downstream IR

Okta is the most leveraged identity in your stack. The runbook should be rehearsed quarterly with the downstream SP owners. Identity IR is a team sport played across tenant boundaries.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.