Okta Unauthorized Access to Application

name: Okta Unauthorized Access to Application
id: 5f661629-9750-4cb9-897c-1f05d6db8727
version: 8
date: '2026-03-10'
author: Bhavin Patel, Splunk
data_source:
    - Okta
type: Anomaly
status: production
description: The following analytic identifies attempts by users to access Okta applications that have not been assigned to them. It leverages Okta Identity Management logs, specifically focusing on failed access attempts to unassigned applications. This activity is significant for a SOC as it may indicate potential unauthorized access attempts, which could lead to exposure of sensitive information or disruption of services. If confirmed malicious, such activity could result in data breaches, non-compliance with data protection laws, and overall compromise of the IT environment.
search: |-
    | tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason FROM datamodel=Authentication
      WHERE Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action="failure"
      BY _time Authentication.src Authentication.user
         Authentication.dest
    | `drop_dm_object_name("Authentication")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | iplocation src
    | `okta_unauthorized_access_to_application_filter`
how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
known_false_positives: There is a possibility that a user may accidentally click on the wrong application, which could trigger this event. It is advisable to verify the location from which this activity originates.
references:
    - https://attack.mitre.org/techniques/T1110/003/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A user [$user$] is attempting to access an unauthorized application from IP Address - [$src$]
    risk_objects:
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: src
          type: ip_address
tags:
    analytic_story:
        - Okta Account Takeover
    asset_type: Okta Tenant
    mitre_attack_id:
        - T1087.004
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.log
          source: Okta
          sourcetype: OktaIM2:log