Name:Okta Failed SSO Attempts id:371a6545-2618-4032-ad84-93386b8698c5 version:4 date:2024-10-17 author:Michael Haag, Rico Valdez, Splunk status:deprecated type:Anomaly Description:**DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth app access attempt". Data_source:
search:`okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter`
how_to_implement:This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. known_false_positives:There may be a faulty config preventing legitmate users from accessing apps they should have access to. References: -https://developer.okta.com/docs/reference/api/event-types/?q=app.generic.unauth_app_access_attempt drilldown_searches:
: tags: analytic_story: - 'Suspicious Okta Activity' asset_type:Infrastructure confidence:40 impact:40 message:$src_user$ failed SSO authentication to the app. mitre_attack_id: - 'T1078' - 'T1078.001' observable: name:'src_user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'displayMessage' - 'app' - 'src_user' - 'result' - 'src_ip' risk_score:16 security_domain:access
