heroui logo

Okta Password Accessed

Panther Rules

View Source
Summary
The 'Okta Password Accessed' detection rule identifies instances where a user accesses another user's application password within the Okta system. This rule is aimed at monitoring potentially unauthorized access to sensitive information that could compromise user credentials and application security. It logs events from the Okta system where the action of showing a password occurs, capturing details such as the actor, event type, and security context. When the event indicates that a user accessed a password that is not their own, the rule triggers an alert that is categorized under medium severity, prompting an investigation to determine whether the access was authorized or malicious. The conditions for triggering the alert involve logging parameters like actor's email, geographical context, and outcome of the action. Overall, this rule significantly enhances credential protection and helps in the identification and mitigation of credential theft or insecure password access events.
Categories
  • Identity Management
  • Cloud
  • Web
  • Application
Data Sources
  • User Account
  • Logon Session
  • Application Log
  • Container
  • Cloud Service
ATT&CK Techniques
  • T1552
Created: 2022-09-23