In this article
Identity has become the primary attack vector for adversaries. From credential stuffing and MFA fatigue to token theft and illicit privilege escalation, attackers increasingly target the trust layer that connects people, devices, and workloads.
This guide explores the most practical indicators of compromise (IoCs) that CISOs and security leaders must monitor, explains how they manifest in logs and control planes, and provides examples of the queries and events that reveal them.
Traditional indicators—malware hashes, IP addresses, file names—still matter, but they no longer capture the full picture. Attackers exploit the human and machine identities that form the backbone of digital operations.
The MITRE ATT\&CK framework highlights this shift with techniques like brute force (T1110), MFA prompt bombing (T1621), and pass-the-cookie (T1550.004) MITRE ATT\&CK.
Unlike signature-based IoCs, identity IoCs are behavioral: they reveal themselves in abnormal login patterns, suspicious privilege changes, or unusual OAuth consents. Detecting them requires careful correlation across your IdP, IGA, and UEM platforms.
The earliest signs of identity attack activity typically appear before successful authentication. This includes failed login spikes, credential stuffing attempts, and the use of anonymizers such as Tor.
In Okta, repeated user.authentication.failed events tied to the same IP address signal password spraying. Analysts can query:
eventType eq “user.authentication.failed”
and client.ipAddress eq “x.x.x.x”
and count > 50 within 5 minutes
In Auth0, Attack Protection automatically generates events such as limit_mu (multiple users brute forced) or limit_wc (weak credentials), pointing to accounts under coordinated attack.
Once attackers attempt to bypass authentication controls, two patterns stand out: MFA fatigue and token or session theft.
MFA fatigue occurs when a user receives dozens of push prompts and eventually accepts one. The Okta System Log highlights this with multiple user.mfa.challenge events followed by success:
eventType eq “user.mfa.challenge”
and outcome.result eq “SUCCESS”
and count of challenges > 10 within 5 minutes
Session or token theft is harder to detect. In Okta, the same session ID used from different IP addresses surfaces as multiple user.session.start events with divergent network data:
eventType eq “user.session.start”
| group by sessionId
| where distinct(client.ipAddress) > 1
Auth0 logs show repeated successful logins tied to the same session identifier but originating from different user agents or IPs, another strong signal of token replay.
When authentication succeeds, attackers often reveal themselves through anomalous behavior. Impossible travel is a leading signal: the same identity logging in from Paris and São Paulo within minutes. In Okta, analysts can compare user.session.start events for the same user with timestamps and IP geolocation to flag unrealistic travel.
Beyond location anomalies, sudden data bursts also stand out. Auth0 logs and Defender for Cloud Apps integrations flag suspicious patterns such as mass file downloads or the creation of email forwarding rules, both hallmarks of business email compromise.
Indicators at the control-plane level are the most dangerous because they often yield persistent attacker access.
Privilege escalation is a top concern. In Okta, user.account.privilege.grant events signal when a user gains admin privileges. Analysts should query for any assignment of Super Administrator rights:
eventType eq “user.account.privilege.grant”
and target.displayName eq “Super Administrator”
Changes to MFA or sign-on policies also reveal compromise attempts. Okta records these under policy.signon.update. Any sudden shift toward weaker policies—such as allowing legacy authentication—should be treated as a red flag.
OAuth abuse is another common indicator. In Auth0, logs of new third-party applications requesting sensitive scopes (like read:users or update:users) often indicate malicious consent. Monitoring for application creation or unexpected scope grants is key.
Federation anomalies, such as Golden SAML, appear in Active Directory Federation Services logs as certificate exports or tokens issued without matching sign-ins.
Machine identities such as service accounts, CI/CD pipelines, and bots often fall outside normal monitoring. Indicators here include dormant accounts suddenly active again or credentials added outside change windows.
SailPoint Access Insights is effective in surfacing these cases through “Identity Outliers.” For example, if a service principal is granted new entitlements that diverge from its peer group, it will appear in SailPoint’s outlier reports. Event triggers like “Outlier Detected” can automatically initiate certification reviews.
In mobile-first enterprises, endpoints generate their own indicators. Omnissa Workspace ONE UEM detects when a device flips from “compliant” to “compromised” or when a spike of unenroll/re-enroll events occurs just before suspicious logins.
Feeding these UEM logs into a SIEM allows correlation with IdP events, ensuring compromised devices don’t act as stepping stones into critical apps.
The key to validation is correlation. No single source is sufficient. A strong monitoring strategy integrates:
Each adds context, allowing SOC teams to confirm true compromises and cut through false positives.
The flood of identity-related events can overwhelm even mature SOCs. Here, AI plays a critical role.
Research from ESG and SentinelOne found that 92% of SOC leaders credit GenAI with improving security posture, and 93% report accelerated threat hunting and query writing.
GenAI detection pipelines are increasingly used to prioritize the high-risk IoCs—like privilege escalation or OAuth abuse—over the noise of failed logins.
Identity compromise is now the most consistent path adversaries exploit. Indicators such as MFA fatigue, token replay, malicious consents, or privilege drift must be continuously monitored. By knowing what these IoCs look like in logs—and by correlating across Okta, Auth0, SailPoint, and Omnissa—security leaders can detect compromises before they spread.
At Cloudcomputing, we work with Okta, SailPoint, Delinea, Relock, Auth0, Axway, NEXIS, and Omnissa to ensure identity anomalies never go unseen. Because in the digital age, trust is currency — and defending identity is defending trust.