Okta Admin Role Assignment Created

Apr 27, 2026 · attack.persistence ·

Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence

Sigma rule (View on GitHub)

 1title: Okta Admin Role Assignment Created
 2id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
 3status: test
 4description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://developer.okta.com/docs/reference/api/event-types/
 8author: Nikita Khalimonenkov
 9date: 2023-01-19
10modified: 2026-04-27
11tags:
12    - attack.persistence
13logsource:
14    product: okta
15    service: okta
16detection:
17    selection:
18        eventType: 'iam.resourceset.bindings.add'
19    condition: selection
20falsepositives:
21    - Legitimate creation of a new admin role assignment
22level: medium

References

System Log

Read More
Event Types | Okta Developer

Secure, scalable, and highly available authentication and user management for any app.

Read More

Okta Admin Role Assignment Created

Sigma rule (View on GitHub)

References

System Log

Event Types | Okta Developer

Related rules