there may be a faulty config preventing legitmate users from accessing apps they should have access to.

t1078
t1078.001
infrastructure
splunk

Techniques

T1078
T1078.001

Sample rules

Okta Failed SSO Attempts

source: splunk
technicques:
- T1078
- T1078.001

Description

DEPRECATION NOTE - This search has been deprecated and replaced with this detection Okta Unauthorized Access to Application - DM. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event “unauth app access attempt”.

Detection logic

`okta` eventType=app.generic.unauth_app_access_attempt 
| stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_failed_sso_attempts_filter`