LoFP LoFP / t1110

t1110

TitleTags
a misconfigured service account can trigger this alert. a password change on an account used by an email client can trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
account fallback reasons (after failed login with specific account)
an okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.
automated processes that attempt to authenticate using expired credentials or have misconfigured authentication settings may lead to false positives.
based on the high-frequency threshold, it would be unlikely for a legitimate user to exceed the threshold for failed totp code attempts in a short time-span.
build servers and ci systems can sometimes trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
false positives may be generated by normal provisioning workflows for user device registration.
false positives may be present. tune okta and tune the analytic to ensure proper fidelity. modify risk score as needed. drop to anomaly until tuning is complete.
false positives will be limited to the number of events generated by the analytics tied to the stories. analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.
if this was approved by system administrator.
ip or users where the usage of multiple operating systems is expected, filter accordingly.
known legacy accounts
legitimate or intentional inbound connections from public ip addresses on the smb port.
legitimate user wrong password attempts.
misconfigured systems
multiple account lockouts may be also triggered by an application malfunction. filter as needed, and monitor for any unusual activity.
security audits may trigger this alert. conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert.
service account misconfigured
shared systems such as kiosks and conference room computers may be used by multiple users.
software that uses the caret encased keywords pass and user in its command line
systems with names equal to the spoofed ones used by the brute force tools
the threshold for alert is above 10 attempts and this should reduce the number of false positives.
this detection will require tuning to provide high fidelity detection capabilties. tune based on src addresses (corporate offices, vpn terminations) or by groups of users.
this event could stem from users changing an account's password that's used to authenticate via a job or an automated process. investigate the source of such events and mitigate them
tools that use similar command line flags and values
unlikely. except due to misconfigurations
user has been put in acception group so they can use legacy authentication
users actually login but miss-click into the deny button when mfa prompt.
users may genuinely reset the rds password.
users may share an endpoint related to work or personal use in which separate okta accounts are used.
vulnerability scanners
we recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.