Documentation Index
Fetch the complete documentation index at: https://specterops-fetch-json-component.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
The following custom Cypher queries can be imported into BloodHound to enhance visibility.
Each query is defined in a JSON file located in the Queries directory of the OktaHound repository.
This file is automatically generated from the JSON query files
that are bundled with the OktaHound collector. Agents, Agent Pools, and Host Servers
Lists Okta agents, their associated agent pools, and the AD servers hosting each agent.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_AgentPool)<-[:Okta_AgentMemberOf|Okta_HostsAgent*1..2]-(:Okta_Agent:Computer)
RETURN p
LIMIT 1000
Principals with Admin Console Access
Identifies principals with access to the Okta Admin Console.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(c:Okta_Application)
WHERE c.appType = "saasure"
RETURN p
LIMIT 1000
Application Assignments
List all application assignments.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(:Okta_Application)
RETURN p
LIMIT 1000
Application Credentials
Lists all service application secrets and JWTs.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)<-[:Okta_SecretOf|Okta_KeyOf]->(:Okta_ClientSecret:Okta_JWK)
RETURN p
LIMIT 1000
Devices
List all devices, their owners, and any mobile admins.
MATCH p = (:Okta_Device)-[:Okta_DeviceOf]->(:Okta_User)
OPTIONAL MATCH q = (:Okta_User:Okta_Group:Okta_Application)-[:Okta_MobileAdmin]->(:Okta_Device)
RETURN p,q
LIMIT 1000
Group Membership
Retrieves all group membership relationships.
MATCH p = (:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)
RETURN p
LIMIT 1000
Hybrid Relationships Inbound
Retrieves all hybrid relationships from external systems to Okta.
MATCH p = (n)-[]->(:Okta)
WHERE NOT n:Okta
RETURN p
LIMIT 1000
Hybrid Relationships Outbound
Retrieves all hybrid relationships from Okta to external systems.
MATCH p = (:Okta)-[]->(n)
WHERE NOT n:Okta
RETURN p
LIMIT 1000
Security Principal Synchronization
Retrieves all users and groups that are synchronized TO or FROM Okta.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_UserPull|Okta_UserPush|Okta_GroupPull|Okta_GroupPush]->(:Okta)
RETURN p
LIMIT 1000
Identity Provider Assignments - Direct Privileged Access
Identity providers associated with users or groups that hold direct privileged role assignments in Okta.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta_User:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
Identity Provider Assignments - Indirect Privileged Access
Identity providers associated with users who hold privileged role assignments through group membership in Okta.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
Identity Provider Assignments
Lists all identity providers and the users and groups they are associated with, including per-user trust relationships and automatic group assignments.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta_User:Okta_Group)
RETURN p
LIMIT 1000
Organizational Structure
Retrieves all manager relationships.
MATCH p = (:Okta_User)-[:Okta_ManagerOf]->(:Okta_User)
RETURN p
LIMIT 1000
Org Trust Relationships
Lists all org-to-org trust relationships including inbound and outbound SSO federation, Secure Web Authentication (SWA), and Kerberos SSO relationships between Okta applications and supported external organizations or tenants.
MATCH p = (:Okta_Application:Okta_IdentityProvider)-[:Okta_InboundOrgSSO|Okta_OutboundOrgSSO|Okta_OrgSWA|Okta_KerberosSSO]-()
RETURN p
LIMIT 1000
Password and MFA Permissions
Lists permissions to reset passwords and MFA factors.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_ResetPassword|Okta_ResetFactors|Okta_HelpDeskAdmin|Okta_OrgAdmin|Okta_GroupAdmin]->(:Okta_User)
RETURN p
LIMIT 1000
Policy Mappings
Retrieves all policy mappings.
MATCH policies = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Policy)
MATCH mappings = (:Okta_Policy)-[:Okta_PolicyMapping]->(:Okta)
RETURN policies,mappings
LIMIT 1000
Unrotated Active Access Keys on Privileged Apps
Finds active JWKs or client secrets older than 365 days on applications that have role assignments.
MATCH p = (s:Okta_JWK:Okta_ClientSecret)-[:Okta_KeyOf|Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE s.status = "ACTIVE" AND datetime(s.created) <= datetime() - duration("P365D")
RETURN p
LIMIT 1000
Applications with Role Assignments
Applications that have roles assigned.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
Synced Principals with Privileged Access (Direct) - Hybrid Edges
Users, groups, and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments in Okta.
MATCH p = ()-[:Okta_UserSync|Okta_MembershipSync|Okta_InboundSSO|Okta_HostsAgent]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
Synced Principals with Privileged Access (Indirect) - Hybrid Edges
Users and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments through group membership in Okta.
MATCH p = ()-[:Okta_UserSync|Okta_InboundSSO|Okta_HostsAgent]->(:Okta_User:Okta_Application)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
Synced Principals with Privileged Access (Direct) - Okta Edges
Users and groups synchronized from external sources that have privileged role assignments.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application:Okta_IdentityProvider)-[:Okta_UserPull|Okta_GroupPull|Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
Synced Principals with Privileged Access (Indirect) - Okta Edges
Users synchronized from external sources that hold privileged role assignments through group membership in Okta.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application:Okta_IdentityProvider)-[:Okta_UserPull|Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
Privileged Users without MFA (Direct)
Users who do not have multi-factor authentication enabled and directly hold privileged role assignments.
MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.authenticationFactors = 0
RETURN p
LIMIT 1000
Privileged Users without MFA (Indirect)
Users who do not have multi-factor authentication enabled and hold privileged role assignments through group membership.
MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.authenticationFactors = 0
RETURN p
LIMIT 1000
Privileged Users with Old Passwords (Direct)
Finds users whose last password change was more than a year ago and directly hold privileged role assignments.
MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.passwordChanged IS NOT NULL AND datetime(u.passwordChanged) <= datetime() - duration("P365D")
RETURN p
LIMIT 1000
Privileged Users with Old Passwords (Indirect)
Finds users whose last password change was more than a year ago and hold privileged role assignments through group membership.
MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.passwordChanged IS NOT NULL AND datetime(u.passwordChanged) <= datetime() - duration("P365D")
RETURN p
LIMIT 1000
Privileged Users with Non-Active Status (Direct)
Finds users whose status is not ACTIVE and directly hold privileged role assignments, including deactivated, suspended, or provisioning-incomplete accounts.
MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.status <> "ACTIVE"
RETURN p
LIMIT 1000
Privileged Users with Non-Active Status (Indirect)
Finds users whose status is not ACTIVE and hold privileged role assignments through group membership, including deactivated, suspended, or provisioning-incomplete accounts.
MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.status <> "ACTIVE"
RETURN p
LIMIT 1000
Read Client Secrets of Privileged Applications
Searches for client secrets associated with privileged applications that are readable to non-Super Admins.
MATCH p = (:Okta)-[:Okta_ReadClientSecret|Okta_MemberOf*1..2]->(:Okta_ClientSecret)-[:Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
Realm Membership
Lists all Okta realms and the users assigned to them.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Realm)-[:Okta_RealmContains]->(:Okta_User)
RETURN p
LIMIT 1000
Resource Set Membership
Lists all resource sets and their associated members.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_ResourceSet)-[:Okta_ResourceSetContains]->(:Okta)
RETURN p
LIMIT 1000
Application Administrators and Managers
List all Application Administrators and Managers.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_AppAdmin|Okta_ManageApp]->(:Okta_Application:Okta_ApiServiceIntegration)
RETURN p
LIMIT 1000
Role Assignments - Role Assignments and Scope
Lists all role assignments and scope, including transitive group membership.
MATCH p = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
Role Assignments - All Custom Roles
Lists all role assignments, linking principals to their assigned custom roles.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_HasRole]->(:Okta_CustomRole)
RETURN p
LIMIT 1000
Role Assignments - All Built-in Roles
Lists all role assignments, linking principals to their assigned built-in roles.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_HasRole]->(:Okta_Role)
RETURN p
LIMIT 1000
Role Assignments - Group Administrators
List all Group Administrators and Group Membership Administrators.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_GroupAdmin|Okta_GroupMembershipAdmin|Okta_OrgAdmin]->(:Okta_Group)
RETURN p
LIMIT 1000
SCIM Apps Receiving Password Updates
Lists application-to-user assignments where the app receives password updates.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_ReadPasswordUpdates]->(:Okta_User)
RETURN p
LIMIT 1000
API Service Integration Creators
Lists all API service integrations and their creators.
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_CreatorOf]->(:Okta_ApiServiceIntegration)
RETURN p
LIMIT 1000
Stale Privileged Users (Direct)
Finds user accounts that have not logged in for at least 180 days and directly hold privileged role assignments.
MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.lastLogin IS NULL OR datetime(u.lastLogin) <= datetime() - duration("P180D")
RETURN p
LIMIT 1000
Stale Privileged Users (Indirect)
Finds user accounts that have not logged in for at least 180 days and hold privileged role assignments through group membership.
MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.lastLogin IS NULL OR datetime(u.lastLogin) <= datetime() - duration("P180D")
RETURN p
LIMIT 1000
Secure Web Authentication Applications
Secure Web Authentication (SWA) relationships between Okta users and their linked accounts in external applications.
MATCH p = (:Okta_User)-[:Okta_SWA]->(n)
WHERE NOT n:Okta
RETURN p
LIMIT 1000
Inbound User and Group Synchronization
Lists all inbound user and group synchronization relationships to Okta, including password synchronization across Org2Org setups.
MATCH p = (n)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(:Okta_User:Okta_Group)
RETURN p
LIMIT 1000
Outbound User and Group Synchronization
Lists all outbound user and group synchronization relationships from Okta, including password synchronization across Org2Org setups.
MATCH p = (:Okta_User:Okta_Group)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(n)
RETURN p
LIMIT 1000
Tier Zero Principals and Devices
Principals with SUPER_ADMIN or ORG_ADMIN role assignments and their associated devices.
MATCH p = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf|Okta_DeviceOf*1..3]->(r:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization)
WHERE r.type = "SUPER_ADMIN"
OR r.type = "ORG_ADMIN"
RETURN p
LIMIT 1000
Users with API Tokens
Retrieves all (privileged) users who have been assigned API tokens.
MATCH p = (:Okta_ApiToken)-[:Okta_ApiTokenFor]->(:Okta_User)<-[:Okta_Contains]-(:Okta_Organization)
RETURN p
LIMIT 1000
