Detectionmediumtest

Okta Admin Role Assignment Created

Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nikita KhalimonenkovCreated Thu Jan 19139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8cidentity

Log Source

Oktaokta

ProductOkta← raw: okta

Serviceokta← raw: okta

Detection Logic

detection:
    selection:
        eventtype: 'iam.resourceset.bindings.add'
    condition: selection

False Positives

Legitimate creation of a new admin role assignment

References

MITRE ATT&CK

Tactics

Rule Metadata

Rule ID

139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c

Status

test

Level

medium

Type

Detection

Created

Thu Jan 19

Author

Path

rules/identity/okta/okta_admin_role_assignment_created.yml

Raw Tags

attack.persistence