Okta Privileged Access : User Identity Creation alert

OPA, PAM, Workflows for PAM 2 Minutes

This article is to send a notification to the security team if a new user id is being created on any Okta PA protected resources. This will help the security team to identify new identities directly created on protected servers which are not discovered and being managed by the vault in Okta Privileged Access – i.e. those accounts created outside the process and could represent a risk to an organization.

The given example is built using Okta Workflows and an event captured in the Okta system log.

Use Case Overview

Once servers are enrolled with Okta PA platform, server agents periodically check for any newly created local accounts. Once a newly created account is discovered, agents report it back to the Okta PA platform and generate an event as “pam.server_account.discovered” in the Okta system log.

We will leverage an Okta Workflow for this use case, which looks for the event in Okta Syslog. For each account found in syslog, we query the Okta PA projects inside the resource group to fetch the list of managed accounts and compare them with the discovered account. If the account is being managed it will notify the security team that the account is being managed but was created on another server with details, else it will just notify the security team via a notification alerting them of the new identity creation on the server with details.

The main workflow is designed to periodically check for all matching events since the last check and process them together. This is more efficient than triggering a flow for each event for a newly discovered event.

Example Workflow

Prerequisite:

  • Create a table to capture the last execution timestamp. This table will always have a single row with the last execution timestamp.

Workflow Table structure:

I used a standard pattern for the flows:

  1. Created a scheduler workflow to keep checking for “pam.server_account.discovered”  Okta Syslog event.

Steps involved with the flow:

  • Read the last execution timestamps from the table. If there is no entry in the table or flow never executed, it will create a row in the table, else it will update the table with the current execution timestamp as the last execution timestamp. 
  • To make it zone neutral, convert the all timestamp in ISO format.
  • Search the syslog for “pam.server_account.discovered”  event between the current timestamp and last execution timestamp.
  • Fetch the list of managed account for discovered account resource group and project to compare 
  • Send notification for each discovered account using helper flow

Workflow Cards (Main Flow): Part A:

Part B:

Workflow Chart of Main Flow:

  1. Created a helper flow to fetch the managed account inside the project

Workflow Cards (Helper Flow – 1): Part A

Part B:

Workflow Chart of helper flow to fetch managed accounts and verify.

  1. Created a helper flow to send a notification. This flow loops for each discovered account in syslog 

Workflow Cards (Helper Flow -2)

Workflow chart of helper flow to send notifications.

Sample email notification: 

  1. Managed user created on server under same project.
  1. Unmanaged user created on server.

Published by Rajesh Kumar

Over 20+ years of enterprise security professional with extensive experience in designing, implementing and integrating Identity and Access Management solutions across multitudes of market segments and industries (including public, retail, research, financial, HealthCare etc.).

Published

Leave a Reply