Okta Account Locked Out

Original Source: [splunk source]
Name:Okta Account Locked Out
id:d650c0ae-bdc5-400e-9f0f-f7aa0a010ef1
version:2
date:2024-10-17
author:Michael Haag, Splunk
status:deprecated
type:Anomaly
Description:**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold.
Data_source:
search:`okta` eventType=user.account.lock
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_user) as user by src_ip eventType status
| where count >=3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`| `okta_account_locked_out_filter`

how_to_implement:This analytic is specific to Okta and requires Okta logs to be ingested.
known_false_positives:False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.
References:
  -https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock
 drilldown_searches:
  :
tags:
  analytic_story:
    - 'Suspicious Okta Activity'
    - 'Okta MFA Exhaustion'
  asset_type:Infrastructure
  confidence:80
  impact:80
  message:$src_user$ account has been locked out.
  mitre_attack_id:
    - 'T1110'
  observable:
    name:'src_ip'
    type:'IP Address'
    - role:
      - 'Attacker'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'src_user'
    - 'src_ip'
    - 'eventType'
    - 'status'
  risk_score:64
  security_domain:access

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log
  source: Okta
  sourcetype: OktaIM2:log
manual_test:None

Related Analytic Stories


Okta MFA Exhaustion

Suspicious Okta Activity

© 2024 DetectionCode Website. All Rights Reserved.