This detection rule identifies when administrator privileges are assigned to an Okta group, a potential tactic used by adversaries to escalate privileges and maintain access within an organization. Such privileges empower users to manage permissions, making them attractive targets for attackers who may compromise user accounts and leverage these expanded rights to infiltrate further into the organization's systems. The rule utilizes data from Okta's system logs, specifically monitoring events related to privilege assignments within groups. When triggered, it calls for an investigation into the legitimacy of these actions. Steps include reviewing event logs for suspicious activities, verifying the initiating user accounts, and checking group memberships to uncover any unauthorized privilege escalations. The rule includes a list of false positive scenarios which may occur during standard administrative operations or organizational changes, along with recommended responses.