Name:Okta ThreatInsight Suspected PasswordSpray Attack id:25dbad05-6682-4dd5-9ce9-8adecf0d9ae2 version:3 date:2024-10-17 author:Okta, Inc, Michael Haag, Splunk status:deprecated type:TTP Description:**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. Data_source:
search:`okta` eventType="security.threat.detected" AND outcome.reason="Password Spray" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter`
how_to_implement:This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. known_false_positives:Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed. References: -https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm drilldown_searches:
: tags: analytic_story: - 'Suspicious Okta Activity' asset_type:Infrastructure confidence:100 impact:60 message:Okta ThreatInsight has detected or prevented a PasswordSpray attack. mitre_attack_id: - 'T1078' - 'T1078.001' - 'T1110.003' observable: name:'outcome.reason' type:'Other' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'eventType' - 'client.userAgent.rawUserAgent' - 'client.userAgent.browser' - 'outcome.reason' - 'displayMessage' risk_score:60 security_domain:access
