Lists Okta agents, their associated agent pools, and the AD servers hosting each agent.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_AgentPool)<-[:Okta_AgentMemberOf|Okta_HostsAgent*1..2]-(agent)WHERE agent:Okta_Agent OR agent:ComputerRETURN pathLIMIT 1000
This query can be imported into BloodHound from the ad-agents.json file.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)<-[:Okta_SecretOf|Okta_KeyOf]->(credential)WHERE credential:Okta_ClientSecret OR credential:Okta_JWKRETURN pathLIMIT 1000
List all devices, their owners, and any mobile admins.
MATCH path = (:Okta_Device)-[:Okta_DeviceOf]->(:Okta_User)OPTIONAL MATCH adminPath = (admin)-[:Okta_MobileAdmin]->(:Okta_Device)WHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_ApplicationRETURN path,adminPathLIMIT 1000
This query can be imported into BloodHound from the devices.json file.
Identity Provider Assignments - Direct Privileged Access
Identity providers associated with users or groups that hold direct privileged role assignments in Okta.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE assignee:Okta_User OR assignee:Okta_GroupRETURN pathLIMIT 1000
Lists all identity providers and the users and groups they are associated with, including per-user trust relationships and automatic group assignments.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee)WHERE assignee:Okta_User OR assignee:Okta_GroupRETURN pathLIMIT 1000
Lists all org-to-org trust relationships including inbound and outbound SSO federation, Secure Web Authentication (SWA), and Kerberos SSO relationships between Okta applications and supported external organizations or tenants.
MATCH path = (source)-[:Okta_InboundOrgSSO|Okta_OutboundOrgSSO|Okta_OrgSWA|Okta_KerberosSSO]-()WHERE source:Okta_Application OR source:Okta_IdentityProviderRETURN pathLIMIT 1000
Lists permissions to reset passwords and MFA factors.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(actor)-[:Okta_ResetPassword|Okta_ResetFactors|Okta_HelpDeskAdmin|Okta_OrgAdmin|Okta_GroupAdmin]->(:Okta_User)WHERE actor:Okta_User OR actor:Okta_Group OR actor:Okta_ApplicationRETURN pathLIMIT 1000
Finds active JWKs or client secrets older than 365 days on applications that have role assignments.
MATCH path = (credential)-[:Okta_KeyOf|Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE (credential:Okta_JWK OR credential:Okta_ClientSecret) AND credential.status = "ACTIVE" AND datetime(credential.created) <= datetime() - duration("P365D")RETURN pathLIMIT 1000
Synced Principals with Privileged Access (Direct) - Hybrid Edges
Users, groups, and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments in Okta.
MATCH path = ()-[:Okta_UserSync|Okta_MembershipSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE principal:Okta_User OR principal:Okta_Group OR principal:Okta_ApplicationRETURN pathLIMIT 1000
Synced Principals with Privileged Access (Indirect) - Hybrid Edges
Users and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments through group membership in Okta.
MATCH path = ()-[:Okta_UserSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE principal:Okta_User OR principal:Okta_ApplicationRETURN pathLIMIT 1000
Synced Principals with Privileged Access (Direct) - Okta Edges
Users and groups synchronized from external sources that have privileged role assignments.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_GroupPull|Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE provider:Okta_Application OR provider:Okta_IdentityProviderRETURN pathLIMIT 1000
Synced Principals with Privileged Access (Indirect) - Okta Edges
Users synchronized from external sources that hold privileged role assignments through group membership in Okta.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE provider:Okta_Application OR provider:Okta_IdentityProviderRETURN pathLIMIT 1000
Finds users whose last password change was more than a year ago and directly hold privileged role assignments.
MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration("P365D")RETURN pathLIMIT 1000
Finds users whose last password change was more than a year ago and hold privileged role assignments through group membership.
MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration("P365D")RETURN pathLIMIT 1000
Finds users whose status is not ACTIVE and directly hold privileged role assignments, including deactivated, suspended, or provisioning-incomplete accounts.
MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE user.status <> "ACTIVE"RETURN pathLIMIT 1000
Privileged Users with Non-Active Status (Indirect)
Finds users whose status is not ACTIVE and hold privileged role assignments through group membership, including deactivated, suspended, or provisioning-incomplete accounts.
MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE user.status <> "ACTIVE"RETURN pathLIMIT 1000
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_AppAdmin|Okta_ManageApp]->(app)WHERE (admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application) AND (app:Okta_Application OR app:Okta_ApiServiceIntegration)RETURN pathLIMIT 1000
Lists all role assignments, linking principals to their assigned custom roles.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_CustomRole)WHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_ApplicationRETURN pathLIMIT 1000
Lists all role assignments, linking principals to their assigned built-in roles.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_Role)WHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_ApplicationRETURN pathLIMIT 1000
List all Group Administrators and Group Membership Administrators.
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_GroupAdmin|Okta_GroupMembershipAdmin|Okta_OrgAdmin]->(:Okta_Group)WHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_ApplicationRETURN pathLIMIT 1000
Finds user accounts that have not logged in for at least 180 days and directly hold privileged role assignments.
MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration("P180D")RETURN pathLIMIT 1000
Finds user accounts that have not logged in for at least 180 days and hold privileged role assignments through group membership.
MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)WHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration("P180D")RETURN pathLIMIT 1000