SIEM × Platform · Splunk · Okta System Log

Splunk detections for Okta System Log

Sigma rule outputs from CloudSigma rendered into Splunk queries against the Okta System Log schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
6
Production rules
3
ATT&CK techniques
2
ATT&CK tactics
Splunk
Output dialect
02 Rule index
Technique Rule Severity Log source
T1078 Valid Accounts on Okta System Log medium Okta System Log
T1078 Valid Accounts on Okta System Log medium Okta System Log
T1078.004 Valid Accounts: Cloud Accounts on Okta System Log medium Okta System Log
T1098 Account Manipulation on Okta System Log medium Okta System Log
T1098 Account Manipulation on Okta System Log medium Okta System Log
T1098 Account Manipulation on Okta System Log medium Okta System Log
03 Example rule

Okta Administrative Role or Privileged Group Assignment, generated by CloudSigma and validated against the Splunk dialect.

L1 · experimental, tune before deploy verified 2026-04-24 · sha256:5b92f35b6778210d manifest → Verify in CloudSigma →

This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.

Sigma rule · CloudSigma Splunk · Okta System Log · 2026-04-24 
title: Okta Administrative Role or Privileged Group Assignment
id: d6e7f8a9-b0c1-4d2e-3f4a-5b6c7d8e9f0a
status: experimental
description: >
    Detects assignment of Okta administrator roles or membership
    changes to privileged groups. Adversaries who compromise an Okta
    admin (the canonical T1078.004 Cloud Account abuse path) use
    these events to grant themselves persistent control. The earlier
    version of this rule fired on every successful SSO login to a
    cloud console — a normal-business-hours activity — and is
    replaced here with the privilege-grant signal which is rare,
    high-fidelity and directly actionable.
author: CloudSigma
date: 2026-04-24
references:
    - https://attack.mitre.org/techniques/T1078/004/
    - https://developer.okta.com/docs/reference/api/event-types/
    - https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1078.004
logsource:
    product: okta
    service: okta
detection:
    selection_role_grant:
        eventType:
            - user.account.privilege.grant
            - user.account.privilege.revoke
        outcome.result: SUCCESS
    selection_admin_group:
        eventType: group.user_membership.add
        outcome.result: SUCCESS
        target.displayName|contains:
            - Admin
            - Administrator
            - Super
            - Privileged
    condition: selection_role_grant or selection_admin_group
falsepositives:
    - Documented onboarding of a new IT or security operator
    - Quarterly access reviews that reassign administrative scope
    - SCIM provisioning from an upstream HR system reflecting role changes
fields:
    - actor.alternateId
    - actor.displayName
    - target.alternateId
    - target.displayName
    - eventType
    - client.ipAddress
level: high
← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • Splunk documentation, https://docs.splunk.com/
Last verified: 2026-04-24