Datadog and Okta Combine for New Customer Detections

Comprehensive monitoring of identity activity is crucial to the security of any organization. A compromised identity can lead to widespread data breaches and significant financial loss. However, the challenge for many security teams is that effective detection engineering has historically required significant manual effort and dedicated resources. Analysts are required to observe techniques used for identity-based attacks and then write, test and optimize detections for their Security Information Event Management (SIEM) or logging platforms.

Okta’s Cyber Defense team is at the forefront of identity attacks, observing and developing new detections and reducing customers’ operational burden. This work is also powering security product innovations such as Okta Identity Threat Protection (ITP), which continually assesses user sessions using the Continuous Access Evaluation Profile (CAEP) standard and enabling new security automation capabilities. 

To further assist Okta customers, in May 2025 we took a foundational step and released the Okta Security Detection Catalog, a repository of detection queries and preventative configurations designed to empower Okta customers to proactively identify and prevent potential security threats.

Today we are announcing a collaboration with the Security Research team at Datadog to make it even easier to implement these detections.

Together, we have enhanced the Out-of-the-Box (OotB) detection capabilities of Datadog’s Cloud SIEM by including rules from the Okta Security Detection Catalog. These rules have been engineered to enable the identification of identity-related threats with minimal configuration. 

Crucially, this partnership is bi-directional. The enhanced logic developed by Datadog’s own Security Research team during this collaboration has been contributed back to the public Okta Security Detection Catalog, ensuring that the broader security community benefits from this joint research regardless of their tooling. 

This integration goes beyond simple logging; it utilizes signal correlation, combining multiple signals from Okta’s system log, Identity Threat Protection, and ThreatInsights, to provide higher fidelity detections and reduce false positives.

Getting Started

These new detection rules are available now in Datadog Cloud SIEM, with plans to add new rules over time. Developed in collaboration between the Okta Detection and Response team and Datadog Security Engineers, these rules can be configured and run directly within the Datadog platform for any organization that ingests Okta System Log events.

For those who are not Datadog customers, we have ensured this collaboration benefits the wider community as well. All foundational logic developed during this partnership has been contributed back to the public Okta Security Detection Catalog. This allows security teams using other SIEM platforms to review, adapt, and deploy these high-value detections within their own environments.

• Preview The New Detections: View Datadog’s Out-of-the-Box Default Rules for Okta here.

• Ingest Okta System Logs: Follow the instructions here to integrate Okta with your Datadog instance.

• Enable the New Detections: Ensure the Okta customer detections are active within your Datadog environment.

• Review Alerting Policies: Customize alerting thresholds and notification channels to fit your organisation's needs.

New Detection Rule Highlights

To give you an idea of the capabilities now available, here are a few examples of the new rules and the specific identity threats they help detect:

Okta OAuth mismatched URI Tactic: Credential Access Technique: Steal Application Access Token (T1528) Description: This rule monitors failed OAuth access token grant activity where the provided reason is mismatched_redirect_uri. Alert severity is increased if Okta’s provided "threat suspected" field evaluates to true. This is critical for detecting adversaries leveraging phishing infrastructure; they may attempt to compromise users by issuing redirects to a phishing domain during the OAuth flow.

Okta policy rule modified to downgrade MFA Tactic: Defense Evasion Technique: Modify Authentication Process: Multi-Factor Authentication (T1556.006) Description: This rule monitors when an administrator updates an Okta policy rule (indicated by a policy.rule.update event). When the previous policy logic did not contain 1FA but the updated logic does, an alert will trigger. A higher‑severity alert is generated when the source IP address has been classified as suspicious or malicious. Downgrading multi-factor authentication (MFA) requirements reduces security posture and can be used by an attacker to maintain persistence or facilitate account compromise via social engineering.

Okta phone number assigned to multiple users Tactic: Persistence Technique: Account Manipulation: Device Registration (T1098.005) Description: This rule monitors phone number enrollment verification by SMS within a short period. The reuse of a single phone number across multiple user accounts is a strong indicator of an attacker trying to maintain persistence or enroll a controlled device across compromised accounts.

Okta temporary password granted and MFA reset Tactic: Persistence Technique: Account Manipulation (T1098) Description: This rule monitors Okta account recovery and factor administration events, alerting when both user.account.expire_password and user.mfa.factor.reset_all succeed for the same account. When an administrator expires a user password, they may generate a temporary password which an attacker can use to login and set their own. If factors are also reset, the attacker can register their own MFA devices. This behavior is a strong signal of account takeover, especially when stemming from uncommon locations or hosting provider IP addresses.

Conclusion

In a decentralized cloud environment, identity sprawl can quickly lead to chaos. Okta brings structure to this landscape by centralizing access, provisioning, and governance across an organization’s entire application stack.

Because Okta is the chosen platform for protecting access to these critical resources, administrative access to Okta must be treated as highly privileged. Just as you monitor your most sensitive infrastructure, monitoring the platform that governs access to it is a fundamental security practice.

Together, Okta and Datadog enable organizations to safeguard this centralized control point, arming security teams with the high-fidelity signals and pre-built intelligence needed to detect and respond to threats at scale in real-time.

Resources:

Okta Security Detection Catalog: https://github.com/okta/customer-detections Okta Identity Threat Protection: https://www.okta.com/en-au/products/identity-threat-protection/ Datadog Default Rules for Okta: https://docs.datadoghq.com/security/default_rules/?search=okta Datadog Cloud SIEM: https://www.datadoghq.com/product/cloud-siem/