Okta Multiple Accounts Locked Out
Description
The following analytic utilizes the user.acount.lock event to identify multiple Okta accounts locking out in a short period of time. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold set by the organization. Monitoring for multiple account lockouts can help detect potential account takeover attempts or unauthorized access to Okta accounts.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Change
- Last Updated: 2024-03-06
- Author: Michael Haag, Mauricio Velazco, Splunk
- ID: a511426e-184f-4de6-8711-cfd2af29d1e1
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=modified AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src
| where count > 5
| `drop_dm_object_name("All_Changes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_multiple_accounts_locked_out_filter`
Macros
The SPL above uses the following Macros:
okta_multiple_accounts_locked_out_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- All_Changes.change_type
- All_Changes.object_category
- All_Changes.action
- All_Changes.command
- All_Changes.result
- All_Changes.src
- sourcetype
How To Implement
The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
Known False Positives
Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
49.0 | 70 | 70 | Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1