t1078.001 | LoFP

t1078.001

Title	Tags
a single public ip address servicing multiple legitmate users may trigger this search. in addition, the threshold of 5 distinct users may be too low for your needs. you may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific ip adresses from triggering this search.	t1078 t1078.001 T1110.003 okta tenant splunk
false positives should be minimal, given the high fidelity of this detection. marker.	t1078 t1078.001 okta tenant splunk
fidelity of this is high as it is okta threatinsight. filter and modify as needed.	t1078 t1078.001 T1110.003 T1110.004 infrastructure splunk
fidelity of this is high as okta is specifying malicious infrastructure. filter and modify as needed.	t1078 t1078.001 t1556 infrastructure splunk
none. account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.	t1078 t1078.001 infrastructure splunk
there may be a faulty config preventing legitmate users from accessing apps they should have access to.	t1078 t1078.001 infrastructure splunk