Techniques
Sample rules
Okta Multiple Accounts Locked Out
- source: splunk
- technicques:
- T1110
Description
The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary attempts to guess passwords, leading to account lockouts. If confirmed malicious, this could result in potential account takeovers or unauthorized access to sensitive Okta accounts, posing a significant security risk.
Detection logic
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user FROM datamodel=Change
WHERE All_Changes.change_type=AAA All_Changes.object_category=User
AND
All_Changes.action=lockout
AND
All_Changes.command=user.account.lock
BY _time span=5m All_Changes.result
All_Changes.command sourcetype All_Changes.src
All_Changes.dest
| where count > 5
| `drop_dm_object_name("All_Changes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_multiple_accounts_locked_out_filter`