Administrator Role Assigned to an Okta User

calendar Dec 9, 2024 · Data Source: Okta Use Case: Identity and Access Audit Tactic: Persistence  ·
Share on: linkedin copy

Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/06"
 3integration = ["okta"]
 4maturity = "production"
 5updated_date = "2024/12/09"
 6min_stack_version = "8.15.0"
 7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator
13role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's
14environment.
15"""
16false_positives = [
17    """
18    Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected.
19    Exceptions can be added to this rule to filter expected behavior.
20    """,
21]
22index = ["filebeat-*", "logs-okta*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Administrator Role Assigned to an Okta User"
26note = """## Setup
27
28The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30    "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
31    "https://developer.okta.com/docs/reference/api/system-log/",
32    "https://developer.okta.com/docs/reference/api/event-types/",
33    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
34    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
35    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
36    "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know",
37]
38risk_score = 47
39rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71"
40severity = "medium"
41tags = ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
42timestamp_override = "event.ingested"
43type = "query"
44
45query = '''
46event.dataset:okta.system and event.action:user.account.privilege.grant
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1098"
54name = "Account Manipulation"
55reference = "https://attack.mitre.org/techniques/T1098/"
56
57
58[rule.threat.tactic]
59id = "TA0003"
60name = "Persistence"
61reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top