Okta Admin Role Assignment Created
Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
Sigma rule (View on GitHub)
1title: Okta Admin Role Assignment Created
2id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
3status: test
4description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://developer.okta.com/docs/reference/api/event-types/
8author: Nikita Khalimonenkov
9date: 2023-01-19
10tags:
11 - attack.persistence
12logsource:
13 product: okta
14 service: okta
15detection:
16 selection:
17 eventtype: 'iam.resourceset.bindings.add'
18 condition: selection
19falsepositives:
20 - Legitimate creation of a new admin role assignment
21level: medium
References
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint