Okta Admin Role Assignment Created

calendar Nov 3, 2025 · attack.persistence  ·
Share on: linkedin copy

Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence

Sigma rule (View on GitHub)

 1title: Okta Admin Role Assignment Created
 2id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
 3status: test
 4description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://developer.okta.com/docs/reference/api/event-types/
 8author: Nikita Khalimonenkov
 9date: 2023-01-19
10tags:
11    - attack.persistence
12logsource:
13    product: okta
14    service: okta
15detection:
16    selection:
17        eventtype: 'iam.resourceset.bindings.add'
18    condition: selection
19falsepositives:
20    - Legitimate creation of a new admin role assignment
21level: medium

References

  • System Log

    The Okta System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. The System Log API provides near real-time, read-only access to your organization's System Log and is the programmatic counterpart of the [System Log UI](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog). The terms "event" and "log event" are often used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system, and a "log" or "log event" is the recorded fact. The System Log API supports these primary use cases: * Event data export into a security information and event management system (SIEM) * System monitoring * Development debugging * Event introspection and audit > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). For further details and examples, see [System Log query](https://developer.okta.com/docs/reference/system-log-query/).


    Read More

  • Event Types | Okta Developer

    Secure, scalable, and highly available authentication and user management for any app.


    Read More

Related rules

to-top