administrator roles may be assigned to okta users or groups by authorized super admin users during normal it operations such as onboarding, role changes, or organizational restructuring. verify that the behavior was expected and authorized. exceptions can be added to this rule to filter known administrators, service accounts, or automated provisioning systems.

t1098
okta
elastic

Techniques

T1098

Sample rules

Okta User Assigned Administrator Role

source: elastic
technicques:
- T1098

Description

Identifies when an administrator role is assigned to an Okta user or group. Adversaries may assign administrator privileges to compromised accounts to establish persistence, escalate privileges, and maintain long-term access to the environment. This detection monitors for both user-level and group-level administrator privilege grants, which can be used to bypass security controls and perform unauthorized administrative actions.

Detection logic

event.dataset:okta.system
    and event.action: (user.account.privilege.grant or group.privilege.grant)
    and okta.debug_context.debug_data.flattened.privilegeGranted: *administrator*