> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Cypher Queries

> Okta extension Cypher queries

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

The following custom Cypher queries can be imported into BloodHound to enhance visibility.

<Info>
  This file is automatically generated from the [JSON query files](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches).
</Info>

## Agents, Agent Pools, and Host Servers

Lists Okta agents, their associated agent pools, and the AD servers hosting each agent.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_AgentPool)<-[:Okta_AgentMemberOf|Okta_HostsAgent*1..2]-(agent)
WHERE agent:Okta_Agent OR agent:Computer
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [ad-agents.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/ad-agents.json) file.

## Principals with Admin Console Access

Identifies principals with access to the Okta Admin Console.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(console:Okta_Application)
WHERE console.appType = "saasure"
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [admin-console-access.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/admin-console-access.json) file.

## Application Assignments

List all application assignments.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(:Okta_Application)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [app-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/app-assignments.json) file.

## Application Credentials

Lists all service application secrets and JWTs.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)<-[:Okta_SecretOf|Okta_KeyOf]->(credential)
WHERE credential:Okta_ClientSecret OR credential:Okta_JWK
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [app-credentials.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/app-credentials.json) file.

## Devices

List all devices, their owners, and any mobile admins.

```cypher theme={null}
MATCH path = (:Okta_Device)-[:Okta_DeviceOf]->(:Okta_User)
OPTIONAL MATCH adminPath = (admin)-[:Okta_MobileAdmin]->(:Okta_Device)
WHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application
RETURN path,adminPath
LIMIT 1000
```

This query can be imported into BloodHound from the [devices.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/devices.json) file.

## Group Membership

Retrieves all group membership relationships.

```cypher theme={null}
MATCH path = (:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [group-members.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/group-members.json) file.

## Hybrid Relationships Inbound

Retrieves all hybrid relationships from external systems to Okta.

```cypher theme={null}
MATCH path = (source)-[]->(:Okta)
WHERE NOT source:Okta
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [hybrid-inbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/hybrid-inbound.json) file.

## Hybrid Relationships Outbound

Retrieves all hybrid relationships from Okta to external systems.

```cypher theme={null}
MATCH path = (:Okta)-[]->(target)
WHERE NOT target:Okta
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [hybrid-outbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/hybrid-outbound.json) file.

## Security Principal Synchronization

Retrieves all users and groups that are synchronized TO or FROM Okta.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_UserPull|Okta_UserPush|Okta_GroupPull|Okta_GroupPush]->(:Okta)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [hybrid-sync.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/hybrid-sync.json) file.

## Identity Provider Assignments - Direct Privileged Access

Identity providers associated with users or groups that hold direct privileged role assignments in Okta.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE assignee:Okta_User OR assignee:Okta_Group
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [identity-providers-direct-privileged.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/identity-providers-direct-privileged.json) file.

## Identity Provider Assignments - Indirect Privileged Access

Identity providers associated with users who hold privileged role assignments through group membership in Okta.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [identity-providers-indirect-privileged.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/identity-providers-indirect-privileged.json) file.

## Identity Provider Assignments

Lists all identity providers and the users and groups they are associated with, including per-user trust relationships and automatic group assignments.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee)
WHERE assignee:Okta_User OR assignee:Okta_Group
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [identity-providers.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/identity-providers.json) file.

## Organizational Structure

Retrieves all manager relationships.

```cypher theme={null}
MATCH path = (:Okta_User)-[:Okta_ManagerOf]->(:Okta_User)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [org-chart.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/org-chart.json) file.

## Org Trust Relationships

Lists all org-to-org trust relationships including inbound and outbound SSO federation, Secure Web Authentication (SWA), and Kerberos SSO relationships between Okta applications and supported external organizations or tenants.

```cypher theme={null}
MATCH path = (source)-[:Okta_InboundOrgSSO|Okta_OutboundOrgSSO|Okta_OrgSWA|Okta_KerberosSSO]-()
WHERE source:Okta_Application OR source:Okta_IdentityProvider
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [org-trust-relationships.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/org-trust-relationships.json) file.

## Password and MFA Permissions

Lists permissions to reset passwords and MFA factors.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(actor)-[:Okta_ResetPassword|Okta_ResetFactors|Okta_HelpDeskAdmin|Okta_OrgAdmin|Okta_GroupAdmin]->(:Okta_User)
WHERE actor:Okta_User OR actor:Okta_Group OR actor:Okta_Application
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [password-and-mfa-permissions.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/password-and-mfa-permissions.json) file.

## Policy Mappings

Retrieves all policy mappings.

```cypher theme={null}
MATCH policies = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Policy)
MATCH mappings = (:Okta_Policy)-[:Okta_PolicyMapping]->(:Okta)
RETURN policies,mappings
LIMIT 1000
```

This query can be imported into BloodHound from the [policy-mappings.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/policy-mappings.json) file.

## Unrotated Active Access Keys on Privileged Apps

Finds active JWKs or client secrets older than 365 days on applications that have role assignments.

```cypher theme={null}
MATCH path = (credential)-[:Okta_KeyOf|Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE (credential:Okta_JWK OR credential:Okta_ClientSecret) AND credential.status = "ACTIVE" AND datetime(credential.created) <= datetime() - duration("P365D")
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-app-unrotated-access-keys.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-app-unrotated-access-keys.json) file.

## Applications with Role Assignments

Applications that have roles assigned.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-apps.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-apps.json) file.

## Synced Principals with Privileged Access (Direct) - Hybrid Edges

Users, groups, and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments in Okta.

```cypher theme={null}
MATCH path = ()-[:Okta_UserSync|Okta_MembershipSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE principal:Okta_User OR principal:Okta_Group OR principal:Okta_Application
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-hybrid-inbound-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-hybrid-inbound-direct.json) file.

## Synced Principals with Privileged Access (Indirect) - Hybrid Edges

Users and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments through group membership in Okta.

```cypher theme={null}
MATCH path = ()-[:Okta_UserSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE principal:Okta_User OR principal:Okta_Application
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-hybrid-inbound-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-hybrid-inbound-indirect.json) file.

## Synced Principals with Privileged Access (Direct) - Okta Edges

Users and groups synchronized from external sources that have privileged role assignments.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_GroupPull|Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE provider:Okta_Application OR provider:Okta_IdentityProvider
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-principals-hybrid-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-principals-hybrid-direct.json) file.

## Synced Principals with Privileged Access (Indirect) - Okta Edges

Users synchronized from external sources that hold privileged role assignments through group membership in Okta.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE provider:Okta_Application OR provider:Okta_IdentityProvider
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-principals-hybrid-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-principals-hybrid-indirect.json) file.

## Privileged Users without MFA (Direct)

Users who do not have multi-factor authentication enabled and directly hold privileged role assignments.

```cypher theme={null}
MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.authenticationFactors = 0
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-users-no-mfa-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-no-mfa-direct.json) file.

## Privileged Users without MFA (Indirect)

Users who do not have multi-factor authentication enabled and hold privileged role assignments through group membership.

```cypher theme={null}
MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.authenticationFactors = 0
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-users-no-mfa-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-no-mfa-indirect.json) file.

## Privileged Users with Old Passwords (Direct)

Finds users whose last password change was more than a year ago and directly hold privileged role assignments.

```cypher theme={null}
MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration("P365D")
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-users-old-passwords-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-old-passwords-direct.json) file.

## Privileged Users with Old Passwords (Indirect)

Finds users whose last password change was more than a year ago and hold privileged role assignments through group membership.

```cypher theme={null}
MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration("P365D")
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-users-old-passwords-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-old-passwords-indirect.json) file.

## Privileged Users with Non-Active Status (Direct)

Finds users whose status is not ACTIVE and directly hold privileged role assignments, including deactivated, suspended, or provisioning-incomplete accounts.

```cypher theme={null}
MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.status <> "ACTIVE"
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-users-unexpected-status-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-unexpected-status-direct.json) file.

## Privileged Users with Non-Active Status (Indirect)

Finds users whose status is not ACTIVE and hold privileged role assignments through group membership, including deactivated, suspended, or provisioning-incomplete accounts.

```cypher theme={null}
MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.status <> "ACTIVE"
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [privileged-users-unexpected-status-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-unexpected-status-indirect.json) file.

## Read Client Secrets of Privileged Applications

Searches for client secrets associated with privileged applications that are readable to non-Super Admins.

```cypher theme={null}
MATCH path = (:Okta)-[:Okta_ReadClientSecret|Okta_MemberOf*1..2]->(:Okta_ClientSecret)-[:Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [read-client-secrets.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/read-client-secrets.json) file.

## Realm Membership

Lists all Okta realms and the users assigned to them.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Realm)-[:Okta_RealmContains]->(:Okta_User)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [realm-membership.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/realm-membership.json) file.

## Resource Set Membership

Lists all resource sets and their associated members.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_ResourceSet)-[:Okta_ResourceSetContains]->(:Okta)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [resource-set-membership.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/resource-set-membership.json) file.

## Application Administrators and Managers

List all Application Administrators and Managers.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_AppAdmin|Okta_ManageApp]->(app)
WHERE (admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application) AND (app:Okta_Application OR app:Okta_ApiServiceIntegration)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [role-app-admins.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-app-admins.json) file.

## Role Assignments - Role Assignments and Scope

Lists all role assignments and scope, including transitive group membership.

```cypher theme={null}
MATCH path = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [role-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-assignments.json) file.

## Role Assignments - All Custom Roles

Lists all role assignments, linking principals to their assigned custom roles.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_CustomRole)
WHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_Application
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [role-custom-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-custom-assignments.json) file.

## Role Assignments - All Built-in Roles

Lists all role assignments, linking principals to their assigned built-in roles.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_Role)
WHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_Application
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [role-direct-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-direct-assignments.json) file.

## Role Assignments - Group Administrators

List all Group Administrators and Group Membership Administrators.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_GroupAdmin|Okta_GroupMembershipAdmin|Okta_OrgAdmin]->(:Okta_Group)
WHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [role-group-admins.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-group-admins.json) file.

## SCIM Apps Receiving Password Updates

Lists application-to-user assignments where the app receives password updates.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_ReadPasswordUpdates]->(:Okta_User)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [scim-read-passwords.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/scim-read-passwords.json) file.

## API Service Integration Creators

Lists all API service integrations and their creators.

```cypher theme={null}
MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_CreatorOf]->(:Okta_ApiServiceIntegration)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [service-integration-creators.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/service-integration-creators.json) file.

## Stale Privileged Users (Direct)

Finds user accounts that have not logged in for at least 180 days and directly hold privileged role assignments.

```cypher theme={null}
MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration("P180D")
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [stale-privileged-accounts-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/stale-privileged-accounts-direct.json) file.

## Stale Privileged Users (Indirect)

Finds user accounts that have not logged in for at least 180 days and hold privileged role assignments through group membership.

```cypher theme={null}
MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration("P180D")
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [stale-privileged-accounts-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/stale-privileged-accounts-indirect.json) file.

## Secure Web Authentication Applications

Secure Web Authentication (SWA) relationships between Okta users and their linked accounts in external applications.

```cypher theme={null}
MATCH path = (:Okta_User)-[:Okta_SWA]->(target)
WHERE NOT target:Okta
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [swa-applications.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/swa-applications.json) file.

## Inbound User and Group Synchronization

Lists all inbound user and group synchronization relationships to Okta, including password synchronization across Org2Org setups.

```cypher theme={null}
MATCH path = (source)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(target)
WHERE target:Okta_User OR target:Okta_Group
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [sync-relationships-inbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/sync-relationships-inbound.json) file.

## Outbound User and Group Synchronization

Lists all outbound user and group synchronization relationships from Okta, including password synchronization across Org2Org setups.

```cypher theme={null}
MATCH path = (source)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(target)
WHERE source:Okta_User OR source:Okta_Group
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [sync-relationships-outbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/sync-relationships-outbound.json) file.

## Tier Zero Principals and Devices

Principals with SUPER\_ADMIN or ORG\_ADMIN role assignments and their associated devices.

```cypher theme={null}
MATCH path = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf|Okta_DeviceOf*1..3]->(role:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization)
WHERE role.type = "SUPER_ADMIN"
OR role.type = "ORG_ADMIN"
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [tier0.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/tier0.json) file.

## Users with API Tokens

Retrieves all (privileged) users who have been assigned API tokens.

```cypher theme={null}
MATCH path = (:Okta_ApiToken)-[:Okta_ApiTokenFor]->(:Okta_User)<-[:Okta_Contains]-(:Okta_Organization)
RETURN path
LIMIT 1000
```

This query can be imported into BloodHound from the [users-api-tokens.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/users-api-tokens.json) file.