LoFP / administrator roles could be assigned to users or group by other admin users.

Techniques

• t1098
• t1098.003

Sample rules

Okta Admin Role Assigned to an User or Group

• source: sigma
• technicques:
  • t1098
  • t1098.003

Description

Detects when an the Administrator role is assigned to an user or group.

Detection logic

condition: selection
selection:
  eventtype:
  - group.privilege.grant
  - user.account.privilege.grant