a single public ip address servicing multiple legitmate users may trigger this search. in addition, the threshold of 5 distinct users may be too low for your needs. you may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific ip adresses from triggering this search.

Techniques

Sample rules

Multiple Okta Users With Invalid Credentials From The Same IP

source: splunk
technicques:
- T1110.003
- T1078
- T1078.001

Description

DEPRECATION NOTE - This search has been deprecated and replaced with Okta Multiple Users Failing To Authenticate From Ip. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics.

Detection logic

`okta` eventType=user.session.start outcome.result=FAILURE 
| rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city 
| stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| search distinct_users > 5
| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter`