Name:Okta Multiple Failed MFA Requests For User id:826dbaae-a1e6-4c8c-b384-d16898956e73 version:6 date:2025-01-21 author:Mauricio Velazco, Splunk status:production type:Anomaly Description:The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Okta tenant. It triggers when more than 10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests, a technique used by threat actors like Lapsus and APT29. If confirmed malicious, this could lead to unauthorized access, potentially compromising sensitive information and systems. Data_source:
-Okta
search:`okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) values(dest) as dest by _time src_user | where count >= 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_failed_mfa_requests_for_user_filter`
how_to_implement:The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). known_false_positives:Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed and monitor for any unusual activity. References: -https://attack.mitre.org/techniques/T1621/ drilldown_searches: name:'View the detection results for - "$src_user$"' search:'%original_detection_search% | search src_user = "$src_user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Okta Account Takeover' asset_type:Okta Tenant mitre_attack_id: - 'T1621' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:identity
