Documentation Index
Fetch the complete documentation index at: https://specterops-enable-tls-feedback.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
The following custom Cypher queries can be imported into BloodHound to enhance visibility.
Agents, Agent Pools, and Host Servers
Lists Okta agents, their associated agent pools, and the AD servers hosting each agent.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_AgentPool)<-[:Okta_AgentMemberOf|Okta_HostsAgent*1..2]-(agent)
WHERE agent:Okta_Agent OR agent:Computer
RETURN path
LIMIT 1000
Principals with Admin Console Access
Identifies principals with access to the Okta Admin Console.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(console:Okta_Application)
WHERE console.appType = "saasure"
RETURN path
LIMIT 1000
Application Assignments
List all application assignments.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(:Okta_Application)
RETURN path
LIMIT 1000
Application Credentials
Lists all service application secrets and JWTs.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)<-[:Okta_SecretOf|Okta_KeyOf]->(credential)
WHERE credential:Okta_ClientSecret OR credential:Okta_JWK
RETURN path
LIMIT 1000
Devices
List all devices, their owners, and any mobile admins.
MATCH path = (:Okta_Device)-[:Okta_DeviceOf]->(:Okta_User)
OPTIONAL MATCH adminPath = (admin)-[:Okta_MobileAdmin]->(:Okta_Device)
WHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application
RETURN path,adminPath
LIMIT 1000
Group Membership
Retrieves all group membership relationships.
MATCH path = (:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)
RETURN path
LIMIT 1000
Hybrid Relationships Inbound
Retrieves all hybrid relationships from external systems to Okta.
MATCH path = (source)-[]->(:Okta)
WHERE NOT source:Okta
RETURN path
LIMIT 1000
Hybrid Relationships Outbound
Retrieves all hybrid relationships from Okta to external systems.
MATCH path = (:Okta)-[]->(target)
WHERE NOT target:Okta
RETURN path
LIMIT 1000
Security Principal Synchronization
Retrieves all users and groups that are synchronized TO or FROM Okta.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_UserPull|Okta_UserPush|Okta_GroupPull|Okta_GroupPush]->(:Okta)
RETURN path
LIMIT 1000
Identity Provider Assignments - Direct Privileged Access
Identity providers associated with users or groups that hold direct privileged role assignments in Okta.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE assignee:Okta_User OR assignee:Okta_Group
RETURN path
LIMIT 1000
Identity Provider Assignments - Indirect Privileged Access
Identity providers associated with users who hold privileged role assignments through group membership in Okta.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN path
LIMIT 1000
Identity Provider Assignments
Lists all identity providers and the users and groups they are associated with, including per-user trust relationships and automatic group assignments.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee)
WHERE assignee:Okta_User OR assignee:Okta_Group
RETURN path
LIMIT 1000
Organizational Structure
Retrieves all manager relationships.
MATCH path = (:Okta_User)-[:Okta_ManagerOf]->(:Okta_User)
RETURN path
LIMIT 1000
Org Trust Relationships
Lists all org-to-org trust relationships including inbound and outbound SSO federation, Secure Web Authentication (SWA), and Kerberos SSO relationships between Okta applications and supported external organizations or tenants.
MATCH path = (source)-[:Okta_InboundOrgSSO|Okta_OutboundOrgSSO|Okta_OrgSWA|Okta_KerberosSSO]-()
WHERE source:Okta_Application OR source:Okta_IdentityProvider
RETURN path
LIMIT 1000
Password and MFA Permissions
Lists permissions to reset passwords and MFA factors.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(actor)-[:Okta_ResetPassword|Okta_ResetFactors|Okta_HelpDeskAdmin|Okta_OrgAdmin|Okta_GroupAdmin]->(:Okta_User)
WHERE actor:Okta_User OR actor:Okta_Group OR actor:Okta_Application
RETURN path
LIMIT 1000
Policy Mappings
Retrieves all policy mappings.
MATCH policies = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Policy)
MATCH mappings = (:Okta_Policy)-[:Okta_PolicyMapping]->(:Okta)
RETURN policies,mappings
LIMIT 1000
Unrotated Active Access Keys on Privileged Apps
Finds active JWKs or client secrets older than 365 days on applications that have role assignments.
MATCH path = (credential)-[:Okta_KeyOf|Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE (credential:Okta_JWK OR credential:Okta_ClientSecret) AND credential.status = "ACTIVE" AND datetime(credential.created) <= datetime() - duration("P365D")
RETURN path
LIMIT 1000
Applications with Role Assignments
Applications that have roles assigned.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN path
LIMIT 1000
Synced Principals with Privileged Access (Direct) - Hybrid Edges
Users, groups, and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments in Okta.
MATCH path = ()-[:Okta_UserSync|Okta_MembershipSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE principal:Okta_User OR principal:Okta_Group OR principal:Okta_Application
RETURN path
LIMIT 1000
Synced Principals with Privileged Access (Indirect) - Hybrid Edges
Users and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments through group membership in Okta.
MATCH path = ()-[:Okta_UserSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE principal:Okta_User OR principal:Okta_Application
RETURN path
LIMIT 1000
Synced Principals with Privileged Access (Direct) - Okta Edges
Users and groups synchronized from external sources that have privileged role assignments.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_GroupPull|Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE provider:Okta_Application OR provider:Okta_IdentityProvider
RETURN path
LIMIT 1000
Synced Principals with Privileged Access (Indirect) - Okta Edges
Users synchronized from external sources that hold privileged role assignments through group membership in Okta.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE provider:Okta_Application OR provider:Okta_IdentityProvider
RETURN path
LIMIT 1000
Privileged Users without MFA (Direct)
Users who do not have multi-factor authentication enabled and directly hold privileged role assignments.
MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.authenticationFactors = 0
RETURN path
LIMIT 1000
Privileged Users without MFA (Indirect)
Users who do not have multi-factor authentication enabled and hold privileged role assignments through group membership.
MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.authenticationFactors = 0
RETURN path
LIMIT 1000
Privileged Users with Old Passwords (Direct)
Finds users whose last password change was more than a year ago and directly hold privileged role assignments.
MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration("P365D")
RETURN path
LIMIT 1000
Privileged Users with Old Passwords (Indirect)
Finds users whose last password change was more than a year ago and hold privileged role assignments through group membership.
MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration("P365D")
RETURN path
LIMIT 1000
Privileged Users with Non-Active Status (Direct)
Finds users whose status is not ACTIVE and directly hold privileged role assignments, including deactivated, suspended, or provisioning-incomplete accounts.
MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.status <> "ACTIVE"
RETURN path
LIMIT 1000
Privileged Users with Non-Active Status (Indirect)
Finds users whose status is not ACTIVE and hold privileged role assignments through group membership, including deactivated, suspended, or provisioning-incomplete accounts.
MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.status <> "ACTIVE"
RETURN path
LIMIT 1000
Read Client Secrets of Privileged Applications
Searches for client secrets associated with privileged applications that are readable to non-Super Admins.
MATCH path = (:Okta)-[:Okta_ReadClientSecret|Okta_MemberOf*1..2]->(:Okta_ClientSecret)-[:Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN path
LIMIT 1000
Realm Membership
Lists all Okta realms and the users assigned to them.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Realm)-[:Okta_RealmContains]->(:Okta_User)
RETURN path
LIMIT 1000
Resource Set Membership
Lists all resource sets and their associated members.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_ResourceSet)-[:Okta_ResourceSetContains]->(:Okta)
RETURN path
LIMIT 1000
Application Administrators and Managers
List all Application Administrators and Managers.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_AppAdmin|Okta_ManageApp]->(app)
WHERE (admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application) AND (app:Okta_Application OR app:Okta_ApiServiceIntegration)
RETURN path
LIMIT 1000
Role Assignments - Role Assignments and Scope
Lists all role assignments and scope, including transitive group membership.
MATCH path = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN path
LIMIT 1000
Role Assignments - All Custom Roles
Lists all role assignments, linking principals to their assigned custom roles.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_CustomRole)
WHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_Application
RETURN path
LIMIT 1000
Role Assignments - All Built-in Roles
Lists all role assignments, linking principals to their assigned built-in roles.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_Role)
WHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_Application
RETURN path
LIMIT 1000
Role Assignments - Group Administrators
List all Group Administrators and Group Membership Administrators.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_GroupAdmin|Okta_GroupMembershipAdmin|Okta_OrgAdmin]->(:Okta_Group)
WHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application
RETURN path
LIMIT 1000
SCIM Apps Receiving Password Updates
Lists application-to-user assignments where the app receives password updates.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_ReadPasswordUpdates]->(:Okta_User)
RETURN path
LIMIT 1000
API Service Integration Creators
Lists all API service integrations and their creators.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_CreatorOf]->(:Okta_ApiServiceIntegration)
RETURN path
LIMIT 1000
Stale Privileged Users (Direct)
Finds user accounts that have not logged in for at least 180 days and directly hold privileged role assignments.
MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration("P180D")
RETURN path
LIMIT 1000
Stale Privileged Users (Indirect)
Finds user accounts that have not logged in for at least 180 days and hold privileged role assignments through group membership.
MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration("P180D")
RETURN path
LIMIT 1000
Secure Web Authentication Applications
Secure Web Authentication (SWA) relationships between Okta users and their linked accounts in external applications.
MATCH path = (:Okta_User)-[:Okta_SWA]->(target)
WHERE NOT target:Okta
RETURN path
LIMIT 1000
Inbound User and Group Synchronization
Lists all inbound user and group synchronization relationships to Okta, including password synchronization across Org2Org setups.
MATCH path = (source)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(target)
WHERE target:Okta_User OR target:Okta_Group
RETURN path
LIMIT 1000
Outbound User and Group Synchronization
Lists all outbound user and group synchronization relationships from Okta, including password synchronization across Org2Org setups.
MATCH path = (source)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(target)
WHERE source:Okta_User OR source:Okta_Group
RETURN path
LIMIT 1000
Tier Zero Principals and Devices
Principals with SUPER_ADMIN or ORG_ADMIN role assignments and their associated devices.
MATCH path = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf|Okta_DeviceOf*1..3]->(role:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization)
WHERE role.type = "SUPER_ADMIN"
OR role.type = "ORG_ADMIN"
RETURN path
LIMIT 1000
Users with API Tokens
Retrieves all (privileged) users who have been assigned API tokens.
MATCH path = (:Okta_ApiToken)-[:Okta_ApiTokenFor]->(:Okta_User)<-[:Okta_Contains]-(:Okta_Organization)
RETURN path
LIMIT 1000
