Okta administrator role assigned to user

Classification:

attack

Tactic:

Set up the okta integration.

Goal

Detect when administrative privileges are provisioned to an Okta user.

This rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:

Contact the Okta administrator: {{@usr.email}} to confirm that the user or users should have administrative privileges.
If the change was not authorized, verify there are no other signals from the Okta administrator: {{@usr.email}}.