Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when administrative privileges (Super Administrator or Organization Administrator roles) are provisioned to an Okta user.

Strategy

This rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:

• user.account.privilege.grant

Triage and response

1. Examine the event details to confirm the exact role in {{@debugContext.debugData.privilegeGranted}} and identify the target account receiving the role.
2. Identify the actor who performed the grant and validate an approved request or change ticket exists for this assignment.
3. Review recent authentication activity for both the actor and target accounts, including MFA usage, new device or geo‑location signals, and failed login attempts.
4. Check the source IP {{@network.client.ip}} and geo‑location for the actor and determine whether they align with expected administrative patterns.
5. If user activity is suspicious, begin your organization’s incident response process and investigate for any account takeovers.

Changelog

• 11 December 2025 - Updated query to filter on super and organization administrator roles.