Okta Admin Role Assignment Created
Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
Sigma rule (View on GitHub)
1title: Okta Admin Role Assignment Created
2id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
3status: test
4description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://developer.okta.com/docs/reference/api/event-types/
8author: Nikita Khalimonenkov
9date: 2023/01/19
10tags:
11 - attack.persistence
12logsource:
13 product: okta
14 service: okta
15detection:
16 selection:
17 eventtype: 'iam.resourceset.bindings.add'
18 condition: selection
19falsepositives:
20 - Legitimate creation of a new admin role assignment
21level: medium
References
Related rules
- Atbroker Registry Change
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- HackTool - SharPersist Execution
- Huawei BGP Authentication Failures