Detectionmediumtest

Okta Admin Role Assigned to an User or Group

Detects when an the Administrator role is assigned to an user or group.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Austin SongerCreated Sun Sep 12Updated Mon Apr 27413d4a81-6c98-4479-9863-014785fd579cidentity

Log Source

Oktaokta

ProductOkta← raw: okta

Serviceokta← raw: okta

Detection Logic

detection:
    selection:
        eventType:
            - group.privilege.grant
            - user.account.privilege.grant
    condition: selection

False Positives

Administrator roles could be assigned to users or group by other admin users.

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

413d4a81-6c98-4479-9863-014785fd579c

Status

test

Level

medium

Type

Detection

Created

Sun Sep 12

Modified

Mon Apr 27

Author

Path

rules/identity/okta/okta_admin_role_assigned_to_user_or_group.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1098.003