Okta OPA server account password changed out of band
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects when a server account password is altered by a method other than Okta Privileged Access (OPA) scheduled rotation.
Okta Privileged Access allows Okta users to access servers through a local server account. These individual user accounts are managed and created by Okta on each server.
Strategy
This rule monitors Okta for successful pam.server_account.password_change.out_of_band events. It focuses on password changes performed outside standard rotation workflows or approved change processes for server accounts managed by OPA. Adversaries may attempt to bypass OPA based server access controls.
This detection has been adopted from rules published by the Okta team.
Triage & Response
- Identify the target server account, resource, and actor who initiated the request.
- Verify if a legitimate change request or ticket exists.
- Review the source IP
{{@network.client.ip}} and geo‑location for the actor and determine whether they align with normal administrative patterns. - Check OPA policy configuration to confirm the account’s rotation schedule and whether this change bypassed documented rotation workflows.
- Analyze subsequent authentications using the server account after the change to detect abnormal access or lateral movement.
- If user activity is suspicious, begin your organization’s incident response process and investigate for any account takeovers.
