Name:Multiple Okta Users With Invalid Credentials From The Same IP id:19cba45f-cad3-4032-8911-0c09e0444552 version:4 date:2024-10-17 author:Michael Haag, Mauricio Velazco, Rico Valdez, Splunk status:deprecated type:TTP Description:**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics. Data_source:
search:`okta` eventType=user.session.start outcome.result=FAILURE | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter`
how_to_implement:This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. known_false_positives:A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search. References: -https://developer.okta.com/docs/reference/api/event-types/?q=INVALID_CREDENTIALS -https://developer.okta.com/docs/reference/api/system-log/ -https://attack.mitre.org/techniques/T1110/003/ drilldown_searches:
: tags: analytic_story: - 'Suspicious Okta Activity' asset_type:Okta Tenant confidence:30 impact:30 message:Multple user accounts have failed to authenticate from a single IP. mitre_attack_id: - 'T1110.003' - 'T1078' - 'T1078.001' observable: name:'src_ip' type:'IP Address' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'outcome.reason' - 'client.geographicalContext.country' - 'client.geographicalContext.state' - 'client.geographicalContext.city' - 'user' - 'src_ip' - 'displayMessage' - 'eventType' - 'outcome.result' risk_score:9 security_domain:access
