Name:Okta Multiple Accounts Locked Out id:a511426e-184f-4de6-8711-cfd2af29d1e1 version:3 date:2024-09-30 author:Michael Haag, Mauricio Velazco, Splunk status:production type:Anomaly Description:The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary attempts to guess passwords, leading to account lockouts. If confirmed malicious, this could result in potential account takeovers or unauthorized access to sensitive Okta accounts, posing a significant security risk. Data_source:
-Okta
search:| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src | where count > 5 | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_accounts_locked_out_filter`
how_to_implement:The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). known_false_positives:Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity. References: -https://attack.mitre.org/techniques/T1110/ -https://splunkbase.splunk.com/app/6553 drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Okta Account Takeover' asset_type:Okta Tenant confidence:70 impact:70 message:Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized. mitre_attack_id: - 'T1110' observable: name:'src' type:'IP Address' - role: - 'Attacker' name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'All_Changes.change_type' - 'All_Changes.object_category' - 'All_Changes.action' - 'All_Changes.command' - 'All_Changes.result' - 'All_Changes.src' - 'sourcetype' risk_score:49 security_domain:identity
