LoFP LoFP / okta tenant

TitleTags
a single public ip address servicing multiple legitmate users may trigger this search. in addition, the threshold of 5 distinct users may be too low for your needs. you may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific ip adresses from triggering this search.
a source ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.
a user may have accidentally entered the wrong credentials during the mfa challenge. if the user is new to mfa, they may have trouble authenticating. ensure that the user is aware of the mfa process and has the correct credentials.
although not recommended, certain users may be exempt from multi-factor authentication. adjust the filter as necessary.
false positives may be present based on organization size and configuration of okta.
false positives may be present. tune okta and tune the analytic to ensure proper fidelity. modify risk score as needed. drop to anomaly until tuning is complete.
false positives may occur, depending on the organization's size and the configuration of okta.
false positives should be minimal, given the high fidelity of this detection. marker.
false positives will be limited to the number of events generated by the analytics tied to the stories. analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.
it is possible that the user has legitimately added a new device to their account. please verify this activity.
it is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.
it's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to okta idp lifecycle events. review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.
legitimate use case may require for users to disable mfa. filter lightly and monitor for any unusual activity.
multiple account lockouts may be also triggered by an application malfunction. filter as needed, and monitor for any unusual activity.
multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed and monitor for any unusual activity.
there is a possibility that a user may accidentally click on the wrong application, which could trigger this event. it is advisable to verify the location from which this activity originates.