Okta admin privilege assignment

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Okta Audit Log

Detection Modules

Identity Threat Module

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Account Manipulation: Additional Cloud Credentials (T1098.001)

Severity

Informational

Description

A user assigned admin privileges to a new user or group.

Attacker's Goals

An attacker is attempting to gain access to sensitive information or systems, while privilege escalation involves their attempt to increase control and access within the system or network.

Investigative actions

  • Reach out to the user responsible for the alert to confirm the legitimacy of the activity.
  • Examine the user's actions preceding and following the activation of the alert.
  • Analyze the actions carried out by the user responsible for granting permission.

Variations

Abnormal Okta admin privilege assignment with suspicious characteristics

Synopsis

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Account Manipulation: Additional Cloud Credentials (T1098.001)

Severity

Low

Description

A suspicious user assignment of admin privileges to a new user or group.

Attacker's Goals

An attacker is attempting to gain access to sensitive information or systems, while privilege escalation involves their attempt to increase control and access within the system or network.

Investigative actions

  • Reach out to the user responsible for the alert to confirm the legitimacy of the activity.
  • Examine the user's actions preceding and following the activation of the alert.
  • Analyze the actions carried out by the user responsible for granting permission.