Overview
Tuned existing rule to expand detection coverage for administrator privilege grants in Okta. The rule now detects both user-level and group-level administrator role assignments, providing more comprehensive visibility into potential privilege escalation and persistence activities.
Changes Made
Query Enhancement
- Previous: Only detected
user.account.privilege.grant events
- Updated: Now detects both
user.account.privilege.grant and group.privilege.grant events
- Benefit: Captures administrator privileges assigned at the group level, which can affect multiple users simultaneously
event.dataset:okta.system
and event.action: (user.account.privilege.grant or group.privilege.grant)
and okta.debug_context.debug_data.flattened.privilegeGranted: *administrator*Updated Content
- Description: Updated to reflect detection of both user and group privilege grants
- Investigation Guide:
- Removed AI-generated disclaimer
- Enhanced investigation steps with specific Okta field references
- Added guidance on reviewing group-level privilege grants
- Improved response and remediation actions for Okta environments
- False Negatives: Updated to account for group-level assignments and automated provisioning systems
- Rule Name: Updated from "Administrator Role Assigned to an Okta User" to "Okta User Assigned Administrator Role"
Detection Rationale
Adversaries who compromise Okta accounts may assign administrator privileges to:
- Establish persistence in the identity infrastructure
- Escalate privileges for compromised accounts
- Maintain long-term access to the environment
- Bypass security controls through administrative access
Detecting both user and group-level privilege grants provides comprehensive coverage of privilege escalation techniques, as group assignments can affect multiple users and may be used to evade detection.
References
Files Changed
rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml
Overview
Tuned existing rule to expand detection coverage for administrator privilege grants in Okta. The rule now detects both user-level and group-level administrator role assignments, providing more comprehensive visibility into potential privilege escalation and persistence activities.
Changes Made
Query Enhancement
user.account.privilege.granteventsuser.account.privilege.grantandgroup.privilege.granteventsevent.dataset:okta.system and event.action: (user.account.privilege.grant or group.privilege.grant) and okta.debug_context.debug_data.flattened.privilegeGranted: *administrator*Updated Content
Detection Rationale
Adversaries who compromise Okta accounts may assign administrator privileges to:
Detecting both user and group-level privilege grants provides comprehensive coverage of privilege escalation techniques, as group assignments can affect multiple users and may be used to evade detection.
References
Files Changed
rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml