I have recently installed the Okta Identity Cloud App for Splunk. I've noticed that each event is given a field called tag and there is one value in particular that is of interest; Privileged.
Naturally, those tagged with a value of Privileged are of interest. However, upon reviewing some of these events they seem to be largely innocuous and are often events relating to signing in. If I look at all events with the 'privileged' tag and view the values for displayMessage I see the following:
- An identity provider has been chosen to authenticate the user
- User login to Okta
- Verify user identity
- Authenticate user with AD agent
- Evaluation of sign-on policy
- User single sign on to app
Does anyone know what constitutes an event being tagged with the privileged value? Is it a case of any user that it is assigned to any event initiated by a user with any level of privilege?
Thanks in advance.