Okta Admin Role Assigned to an User or Group

 1title: Okta Admin Role Assigned to an User or Group
 2id: 413d4a81-6c98-4479-9863-014785fd579c
 3status: test
 4description: Detects when an the Administrator role is assigned to an user or group.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://developer.okta.com/docs/reference/api/event-types/
 8author: Austin Songer @austinsonger
 9date: 2021/09/12
10modified: 2022/10/09
11tags:
12    - attack.persistence
13    - attack.t1098.003
14logsource:
15    product: okta
16    service: okta
17detection:
18    selection:
19        eventtype:
20            - group.privilege.grant
21            - user.account.privilege.grant
22    condition: selection
23falsepositives:
24    - Administrator roles could be assigned to users or group by other admin users.
25
26level: medium

References

• System Log | Okta Developer

  

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

• Event Types | Okta Developer

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

Related rules

• Okta API Token Created
• Okta MFA Reset or Deactivated
• Loading of Kernel Module via Insmod
• Setuid and Setgid
• Systemd Service Reload or Start