AN0772: Analytic 0772
Behavioral chain of a user being granted elevated privileges or roles in Entra ID or Okta following suspicious login or account creation activity.
Analyst context for executives and security teams
This analytic is about a high-risk identity sequence: an account shows suspicious login or account creation activity and is then granted elevated privileges or roles in Entra ID or Okta. For leaders, the significance is not the privilege change alone, but the timing and context. If suspicious access is quickly followed by administrative role assignment, the organization may be facing an identity-driven escalation path that can affect cloud administration, business applications, and incident containment decisions.
Executive priority
Treat this as a priority validation area for identity security and SOC readiness. Security leaders should ask whether the organization can prove who granted privileged access, to whom, from where, and after what prior account activity. This matters for operational resilience, audit evidence, incident response scoping, and prioritizing controls around privileged identity governance in Entra ID and Okta.
Technical view
SOC and detection teams should validate whether Identity Provider telemetry can correlate suspicious login or account creation events with subsequent elevated role or privilege grants. Because the supplied ATT&CK object provides no official detection logic and no relationship context, teams should focus on the behavioral chain: user/account event first, privilege or role assignment second, with enough timing and entity linkage to support triage. Detection should distinguish routine administrative onboarding or approved access changes from unusual privilege elevation following suspicious authentication or account creation.
Likely telemetry
- Entra ID audit logs for role assignments and privileged access changes
- Okta system logs for role grants, admin privilege changes, and account lifecycle events
- Identity Provider sign-in or authentication logs showing suspicious login context where available
- Account creation events with creator, target account, timestamp, and source context
- Administrative action records showing actor, target user, role granted, time, and application or tenant scope
Detection direction
- Validate that IdP logs retain both account activity and privilege-assignment events long enough for incident investigation and audit review.
- Build or review correlation logic that links suspicious login or account creation activity to later elevated role grants for the same account or related actor.
- Tune for expected business processes such as help desk onboarding, break-glass access, approved administrator changes, and automated identity governance workflows.
- Prioritize alerts where the granting actor, target account, source context, or timing is inconsistent with normal administrative patterns.
- Confirm that detections cover both Entra ID and Okta if both are in use; do not assume parity of fields or event names across providers.
Mitigation priorities
- Ensure privileged role grants in Entra ID and Okta are governed by documented approval and review processes.
- Limit standing administrative privileges and review privileged role membership regularly.
- Require strong authentication and appropriate conditional access controls for privileged identity actions where supported by the Identity Provider environment.
- Centralize IdP audit and authentication telemetry into SOC workflows with retention suitable for investigations.
- Create incident response playbooks for suspected identity escalation, including privilege review, session revocation, account containment, and evidence preservation.
Analyst notes and limits
The object is a detection analytic for the Identity Provider platform and specifically references Entra ID and Okta in its description. No tactics, relationships, or official detection implementation are supplied, so the practical value is in validating telemetry coverage and correlation around identity privilege elevation after suspicious account activity.
No official detection logic, ATT&CK relationships, tactics, aliases, or labels were provided. This take does not assert active exploitation, attacker attribution, impact, or guaranteed coverage. Local IdP configuration, log availability, retention, and identity governance workflows are required to determine detection quality.
Analytic 0772
Behavioral chain of a user being granted elevated privileges or roles in Entra ID or Okta following suspicious login or account creation activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a01a8ae72060… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0772Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.