Techniques
Sample rules
Okta ThreatInsight Login Failure with High Unknown users
- source: splunk
- technicques:
- T1078
- T1078.001
- T1110.004
Description
DEPRECATION NOTE - This search has been deprecated and replaced with Okta ThreatInsight Threat Detected. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.
Detection logic
`okta` eventType="security.threat.detected" AND outcome.reason="Login failures with high unknown users count*"
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_threatinsight_login_failure_with_high_unknown_users_filter`
Okta ThreatInsight Suspected PasswordSpray Attack
- source: splunk
- technicques:
- T1078
- T1078.001
- T1110.003
Description
DEPRECATION NOTE - This search has been deprecated and replaced with Okta ThreatInsight Threat Detected. The following analytic utilizes Oktas ThreatInsight to identify “PasswordSpray” and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.
Detection logic
`okta` eventType="security.threat.detected" AND outcome.reason="Password Spray"
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_threatinsight_suspected_passwordspray_attack_filter`