Skip to main content
Applies to BloodHound Enterprise and CE The following custom Cypher queries can be imported into BloodHound to enhance visibility. Each query is defined in a JSON file located in the Queries directory of the OktaHound repository.
This file is automatically generated from the JSON query files that are bundled with the OktaHound collector.

Agents, Agent Pools, and Host Servers

Lists Okta agents, their associated agent pools, and the AD servers hosting each agent. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_AgentPool)<-[:Okta_AgentMemberOf|Okta_HostsAgent*1..2]-(:Okta_Agent:Computer)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the ad-agents.json file.

Principals with Admin Console Access

Identifies principals with access to the Okta Admin Console. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(c:Okta_Application)
WHERE c.appType = "saasure"
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the admin-console-access.json file.

Application Assignments

List all application assignments. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(:Okta_Application)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the app-assignments.json file.

Application Credentials

Lists all service application secrets and JWTs. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)<-[:Okta_SecretOf|Okta_KeyOf]->(:Okta_ClientSecret:Okta_JWK)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the app-credentials.json file.

Devices

List all devices, their owners, and any mobile admins. 
MATCH p = (:Okta_Device)-[:Okta_DeviceOf]->(:Okta_User)
OPTIONAL MATCH q = (:Okta_User:Okta_Group:Okta_Application)-[:Okta_MobileAdmin]->(:Okta_Device)
RETURN p,q
LIMIT 1000
This query can be imported into BloodHound from the devices.json file.

Group Membership

Retrieves all group membership relationships. 
MATCH p = (:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the group-members.json file.

Hybrid Relationships Inbound

Retrieves all hybrid relationships from external systems to Okta. 
MATCH p = (n)-[]->(:Okta)
WHERE NOT n:Okta
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the hybrid-inbound.json file.

Hybrid Relationships Outbound

Retrieves all hybrid relationships from Okta to external systems. 
MATCH p = (:Okta)-[]->(n)
WHERE NOT n:Okta
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the hybrid-outbound.json file.

Security Principal Synchronization

Retrieves all users and groups that are synchronized TO or FROM Okta. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_UserPull|Okta_UserPush|Okta_GroupPull|Okta_GroupPush]->(:Okta)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the hybrid-sync.json file.

Identity Provider Assignments - Direct Privileged Access

Identity providers associated with users or groups that hold direct privileged role assignments in Okta. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta_User:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the identity-providers-direct-privileged.json file.

Identity Provider Assignments - Indirect Privileged Access

Identity providers associated with users who hold privileged role assignments through group membership in Okta. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the identity-providers-indirect-privileged.json file.

Identity Provider Assignments

Lists all identity providers and the users and groups they are associated with, including per-user trust relationships and automatic group assignments. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta_User:Okta_Group)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the identity-providers.json file.

Organizational Structure

Retrieves all manager relationships. 
MATCH p = (:Okta_User)-[:Okta_ManagerOf]->(:Okta_User)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the org-chart.json file.

Org Trust Relationships

Lists all org-to-org trust relationships including inbound and outbound SSO federation, Secure Web Authentication (SWA), and Kerberos SSO relationships between Okta applications and supported external organizations or tenants. 
MATCH p = (:Okta_Application:Okta_IdentityProvider)-[:Okta_InboundOrgSSO|Okta_OutboundOrgSSO|Okta_OrgSWA|Okta_KerberosSSO]-()
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the org-trust-relationships.json file.

Password and MFA Permissions

Lists permissions to reset passwords and MFA factors. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_ResetPassword|Okta_ResetFactors|Okta_HelpDeskAdmin|Okta_OrgAdmin|Okta_GroupAdmin]->(:Okta_User)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the password-and-mfa-permissions.json file.

Policy Mappings

Retrieves all policy mappings. 
MATCH policies = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Policy)
MATCH mappings = (:Okta_Policy)-[:Okta_PolicyMapping]->(:Okta)
RETURN policies,mappings
LIMIT 1000
This query can be imported into BloodHound from the policy-mappings.json file.

Unrotated Active Access Keys on Privileged Apps

Finds active JWKs or client secrets older than 365 days on applications that have role assignments. 
MATCH p = (s:Okta_JWK:Okta_ClientSecret)-[:Okta_KeyOf|Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE s.status = "ACTIVE" AND datetime(s.created) <= datetime() - duration("P365D")
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-app-unrotated-access-keys.json file.

Applications with Role Assignments

Applications that have roles assigned. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-apps.json file.

Synced Principals with Privileged Access (Direct) - Hybrid Edges

Users, groups, and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments in Okta. 
MATCH p = ()-[:Okta_UserSync|Okta_MembershipSync|Okta_InboundSSO|Okta_HostsAgent]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-hybrid-inbound-direct.json file.

Synced Principals with Privileged Access (Indirect) - Hybrid Edges

Users and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments through group membership in Okta. 
MATCH p = ()-[:Okta_UserSync|Okta_InboundSSO|Okta_HostsAgent]->(:Okta_User:Okta_Application)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-hybrid-inbound-indirect.json file.

Synced Principals with Privileged Access (Direct) - Okta Edges

Users and groups synchronized from external sources that have privileged role assignments. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application:Okta_IdentityProvider)-[:Okta_UserPull|Okta_GroupPull|Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-principals-hybrid-direct.json file.

Synced Principals with Privileged Access (Indirect) - Okta Edges

Users synchronized from external sources that hold privileged role assignments through group membership in Okta. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application:Okta_IdentityProvider)-[:Okta_UserPull|Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-principals-hybrid-indirect.json file.

Privileged Users without MFA (Direct)

Users who do not have multi-factor authentication enabled and directly hold privileged role assignments. 
MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.authenticationFactors = 0
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-users-no-mfa-direct.json file.

Privileged Users without MFA (Indirect)

Users who do not have multi-factor authentication enabled and hold privileged role assignments through group membership. 
MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.authenticationFactors = 0
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-users-no-mfa-indirect.json file.

Privileged Users with Old Passwords (Direct)

Finds users whose last password change was more than a year ago and directly hold privileged role assignments. 
MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.passwordChanged IS NOT NULL AND datetime(u.passwordChanged) <= datetime() - duration("P365D")
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-users-old-passwords-direct.json file.

Privileged Users with Old Passwords (Indirect)

Finds users whose last password change was more than a year ago and hold privileged role assignments through group membership. 
MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.passwordChanged IS NOT NULL AND datetime(u.passwordChanged) <= datetime() - duration("P365D")
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-users-old-passwords-indirect.json file.

Privileged Users with Non-Active Status (Direct)

Finds users whose status is not ACTIVE and directly hold privileged role assignments, including deactivated, suspended, or provisioning-incomplete accounts. 
MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.status <> "ACTIVE"
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-users-unexpected-status-direct.json file.

Privileged Users with Non-Active Status (Indirect)

Finds users whose status is not ACTIVE and hold privileged role assignments through group membership, including deactivated, suspended, or provisioning-incomplete accounts. 
MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.status <> "ACTIVE"
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the privileged-users-unexpected-status-indirect.json file.

Read Client Secrets of Privileged Applications

Searches for client secrets associated with privileged applications that are readable to non-Super Admins. 
MATCH p = (:Okta)-[:Okta_ReadClientSecret|Okta_MemberOf*1..2]->(:Okta_ClientSecret)-[:Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the read-client-secrets.json file.

Realm Membership

Lists all Okta realms and the users assigned to them. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Realm)-[:Okta_RealmContains]->(:Okta_User)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the realm-membership.json file.

Resource Set Membership

Lists all resource sets and their associated members. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_ResourceSet)-[:Okta_ResourceSetContains]->(:Okta)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the resource-set-membership.json file.

Application Administrators and Managers

List all Application Administrators and Managers. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_AppAdmin|Okta_ManageApp]->(:Okta_Application:Okta_ApiServiceIntegration)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the role-app-admins.json file.

Role Assignments - Role Assignments and Scope

Lists all role assignments and scope, including transitive group membership. 
MATCH p = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the role-assignments.json file.

Role Assignments - All Custom Roles

Lists all role assignments, linking principals to their assigned custom roles. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_HasRole]->(:Okta_CustomRole)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the role-custom-assignments.json file.

Role Assignments - All Built-in Roles

Lists all role assignments, linking principals to their assigned built-in roles. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_HasRole]->(:Okta_Role)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the role-direct-assignments.json file.

Role Assignments - Group Administrators

List all Group Administrators and Group Membership Administrators. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_GroupAdmin|Okta_GroupMembershipAdmin|Okta_OrgAdmin]->(:Okta_Group)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the role-group-admins.json file.

SCIM Apps Receiving Password Updates

Lists application-to-user assignments where the app receives password updates. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_ReadPasswordUpdates]->(:Okta_User)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the scim-read-passwords.json file.

API Service Integration Creators

Lists all API service integrations and their creators. 
MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_CreatorOf]->(:Okta_ApiServiceIntegration)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the service-integration-creators.json file.

Stale Privileged Users (Direct)

Finds user accounts that have not logged in for at least 180 days and directly hold privileged role assignments. 
MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.lastLogin IS NULL OR datetime(u.lastLogin) <= datetime() - duration("P180D")
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the stale-privileged-accounts-direct.json file.

Stale Privileged Users (Indirect)

Finds user accounts that have not logged in for at least 180 days and hold privileged role assignments through group membership. 
MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)
WHERE u.lastLogin IS NULL OR datetime(u.lastLogin) <= datetime() - duration("P180D")
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the stale-privileged-accounts-indirect.json file.

Secure Web Authentication Applications

Secure Web Authentication (SWA) relationships between Okta users and their linked accounts in external applications. 
MATCH p = (:Okta_User)-[:Okta_SWA]->(n)
WHERE NOT n:Okta
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the swa-applications.json file.

Inbound User and Group Synchronization

Lists all inbound user and group synchronization relationships to Okta, including password synchronization across Org2Org setups. 
MATCH p = (n)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(:Okta_User:Okta_Group)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the sync-relationships-inbound.json file.

Outbound User and Group Synchronization

Lists all outbound user and group synchronization relationships from Okta, including password synchronization across Org2Org setups. 
MATCH p = (:Okta_User:Okta_Group)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(n)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the sync-relationships-outbound.json file.

Tier Zero Principals and Devices

Principals with SUPER_ADMIN or ORG_ADMIN role assignments and their associated devices. 
MATCH p = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf|Okta_DeviceOf*1..3]->(r:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization)
WHERE r.type = "SUPER_ADMIN"
OR r.type = "ORG_ADMIN"
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the tier0.json file.

Users with API Tokens

Retrieves all (privileged) users who have been assigned API tokens. 
MATCH p = (:Okta_ApiToken)-[:Okta_ApiTokenFor]->(:Okta_User)<-[:Okta_Contains]-(:Okta_Organization)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the users-api-tokens.json file.