SIEM × Platform · Splunk · Okta System Log

Splunk detections for Okta System Log

Last reviewed:

Sigma rule outputs from CloudSigma rendered into Splunk queries against the Okta System Log schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
7
Production rules
4
ATT&CK techniques
3
ATT&CK tactics
Splunk
Output dialect
02 Rule index
Technique Rule Severity Log source
T1078 Valid Accounts on Okta System Log medium Okta System Log
T1078 Valid Accounts on Okta System Log medium Okta System Log
T1078.004 Valid Accounts: Cloud Accounts on Okta System Log medium Okta System Log
T1098 Account Manipulation on Okta System Log medium Okta System Log
T1098 Account Manipulation on Okta System Log medium Okta System Log
T1098 Account Manipulation on Okta System Log medium Okta System Log
T1528 Steal Application Access Token on Okta System Log medium Okta System Log
03 Example rule

Okta Admin Role Assignment, generated by CloudSigma and validated against the Splunk dialect.

L1 · production verified 2026-06-06 · sha256:6a68cc86cabb2767 Verify in CloudSigma →
Sigma rule · CloudSigma Splunk · Okta System Log · 2026-02-09 
title: Okta Admin Role Assignment
id: 478d1624-f385-4bfe-9181-d184b59c7fc1
status: test
description: >
    Detects assignment of administrative privileges in Okta. Attackers with
    access to an Okta account may escalate privileges by granting admin
    roles to compromised or attacker-controlled accounts.
author: CloudSigma
date: 2026-02-09
references:
    - https://attack.mitre.org/techniques/T1098/
    - https://developer.okta.com/docs/reference/api/system-log/
tags:
    - attack.persistence
    - attack.t1098
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - user.account.privilege.grant
            - group.privilege.grant
        outcome.result: SUCCESS
    condition: selection
falsepositives:
    - Legitimate admin onboarding new IT staff
    - Scheduled role rotation by identity governance team
level: high
← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • Splunk documentation, https://docs.splunk.com/
Last verified: 2026-06-06