This detection rule identifies when an administrator role is assigned to an Okta user, which could indicate potential malicious activity by an adversary attempting to gain unauthorized access to sensitive systems. The rule generates alerts for events captured by the Okta integration that match specific actions related to privilege grants. The rule aims to capture unauthorized modifications made by intruders in a system that relies heavily on Okta for access control. It provides a framework for investigation and response, highlighting the need for immediate action in the event of unauthorized role assignments. This includes detailed steps for analyzing logs, checking user activity history, and verifying the legitimacy of the role assignment. Additionally, the rule incorporates guidance on managing false positives, which may arise from legitimate organizational processes or administrative routines.