Okta Admin Role Assigned to an User or Group
Detects when an the Administrator role is assigned to an user or group.
Sigma rule (View on GitHub)
1title: Okta Admin Role Assigned to an User or Group
2id: 413d4a81-6c98-4479-9863-014785fd579c
3status: test
4description: Detects when an the Administrator role is assigned to an user or group.
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://developer.okta.com/docs/reference/api/event-types/
8author: Austin Songer @austinsonger
9date: 2021-09-12
10modified: 2022-10-09
11tags:
12 - attack.persistence
13 - attack.t1098.003
14logsource:
15 product: okta
16 service: okta
17detection:
18 selection:
19 eventtype:
20 - group.privilege.grant
21 - user.account.privilege.grant
22 condition: selection
23falsepositives:
24 - Administrator roles could be assigned to users or group by other admin users.
25
26level: medium
References
Related rules
- App Granted Privileged Delegated Or App Permissions
- Github Outside Collaborator Detected
- Granting Of Permissions To An Account
- User Added to an Administrator's Azure AD Role
- A Member Was Added to a Security-Enabled Global Group