Elastic Security Detection Rules

Okta User Assigned Administrator Role

Last updated a month ago on 2026-02-03
Created 5 years ago on 2020-11-06

About

Identifies when an administrator role is assigned to an Okta user or group. Adversaries may assign administrator privileges to compromised accounts to establish persistence, escalate privileges, and maintain long-term access to the environment. This detection monitors for both user-level and group-level administrator privilege grants, which can be used to bypass security controls and perform unauthorized administrative actions.
Tags
Domain: IdentityData Source: OktaData Source: Okta System LogsUse Case: Identity and Access AuditTactic: PersistenceLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples
Administrator roles may be assigned to Okta users or groups by authorized Super Admin users during normal IT operations such as onboarding, role changes, or organizational restructuring. Verify that the behavior was expected and authorized. Exceptions can be added to this rule to filter known administrators, service accounts, or automated provisioning systems.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-okta*
Related Integrations

okta(external, opens in a new tab or window)

Query
text code block:
event.dataset:okta.system
    and event.action: (user.account.privilege.grant or group.privilege.grant)
    and okta.debug_context.debug_data.flattened.privilegeGranted: *administrator*

Install detection rules in Elastic Security

Detect Okta User Assigned Administrator Role in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).