Okta New Device Enrolled on Account

name: Okta New Device Enrolled on Account
id: bb27cbce-d4de-432c-932f-2e206e9130fb
version: 12
date: '2026-03-10'
author: Michael Haag, Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic identifies when a new device is enrolled on an Okta account. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to detect the creation of new device enrollments. This activity is significant as it may indicate a legitimate user setting up a new device or an adversary adding a device to maintain unauthorized access. If confirmed malicious, this could lead to potential account takeover, unauthorized access, and persistent control over the compromised Okta account. Monitoring this behavior is crucial for detecting and mitigating unauthorized access attempts.
data_source:
    - Okta
search: |-
    | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime FROM datamodel=Change
      WHERE All_Changes.action=created All_Changes.command=device.enrollment.create
      BY _time span=5m All_Changes.user
         All_Changes.result All_Changes.command sourcetype
         All_Changes.src All_Changes.action All_Changes.object_category
         All_Changes.dest
    | `drop_dm_object_name("All_Changes")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `okta_new_device_enrolled_on_account_filter`
how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
known_false_positives: It is possible that the user has legitimately added a new device to their account. Please verify this activity.
references:
    - https://attack.mitre.org/techniques/T1098/005/
    - https://developer.okta.com/docs/reference/api/event-types/?q=device.enrollment.create
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A new device was enrolled on an Okta account for user [$user$]. Investigate further to determine if this was authorized.
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Okta Account Takeover
        - Scattered Lapsus$ Hunters
    asset_type: Okta Tenant
    mitre_attack_id:
        - T1098.005
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.log
          source: Okta
          sourcetype: OktaIM2:log