<  Back to rules search

Okta administrator role assigned to user

okta

Classification:

attack

Tactic:

Set up the okta integration.

Goal

Detect when administrative privileges are provisioned to an Okta user.

Strategy

This rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:

  • user.account.privilege.grant

Triage and response

  1. Contact the Okta administrator: {{@usr.email}} to confirm that the user or users should have administrative privileges.
  2. If the change was not authorized, verify there are no other signals from the Okta administrator: {{@usr.email}}.