From 13a26aaffaf3e0767f2b40c28ae68b9b8f269b4c Mon Sep 17 00:00:00 2001
From: nikitah4x <58976181+nikitah4x@users.noreply.github.com>
Date: Thu, 19 Jan 2023 21:22:58 +0200
Subject: [PATCH] Create okta_admin_role_assignment_created.yml

---
 .../okta_admin_role_assignment_created.yml    | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/cloud/okta/okta_admin_role_assignment_created.yml

diff --git a/rules/cloud/okta/okta_admin_role_assignment_created.yml b/rules/cloud/okta/okta_admin_role_assignment_created.yml
new file mode 100644
index 000000000..85ba649c6
--- /dev/null
+++ b/rules/cloud/okta/okta_admin_role_assignment_created.yml
@@ -0,0 +1,21 @@
+title: Okta Admin Role Assignment Created
+id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
+status: test
+description: Detects when a new admin role assignment is created
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+author: Nikita Khalimonenkov
+date: 2023/01/19
+tags:
+    - attack.persistence
+logsource:
+    product: okta
+    service: okta
+detection:
+    selection:
+        eventtype: iam.resourceset.bindings.add
+    condition: selection
+falsepositives:
+    - Legitimate creation of a new admin role assignment
+level: medium