Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when an administrator role is assigned to a group in Okta.

Strategy

This rule monitors Okta logs for successful group.privilege.grant events where the @debugContext.debugData.privilegeGranted field contains administrator. Assigning administrative roles to groups can rapidly expand privileged access across all group members, making it a high-impact change that warrants scrutiny even when performed by authorized personnel.

Triage and response

• Determine if {{@actor.displayName}} had a legitimate reason to assign an administrator role to the {{@target.displayName}} group.
• Review the specific administrator role granted in @debugContext.debugData.privilegeGranted and assess the scope of permissions it provides.
• Identify the members of the {{@target.displayName}} group to understand how many users received elevated privileges.
• Check for other recent privilege escalation or group membership changes by {{@actor.displayName}} in Okta.
• Verify whether the change aligns with an approved access request or change management ticket.