Try in Splunk Security Cloud

Description

The following analytic utilizes the user.acount.lock event to identify multiple Okta accounts locking out in a short period of time. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold set by the organization. Monitoring for multiple account lockouts can help detect potential account takeover attempts or unauthorized access to Okta accounts.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • Last Updated: 2024-03-06
  • Author: Michael Haag, Mauricio Velazco, Splunk
  • ID: a511426e-184f-4de6-8711-cfd2af29d1e1

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1110 Brute Force Credential Access
Kill Chain Phase
  • Exploitation
NIST
  • DE.AE
CIS20
  • CIS 10
CVE 


1
2
3
4
5
6
7



| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=modified AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src 
| where count > 5 
| `drop_dm_object_name("All_Changes")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_multiple_accounts_locked_out_filter`

Macros

The SPL above uses the following Macros:

:information_source: okta_multiple_accounts_locked_out_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • All_Changes.change_type
  • All_Changes.object_category
  • All_Changes.action
  • All_Changes.command
  • All_Changes.result
  • All_Changes.src
  • sourcetype

How To Implement

The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).

Known False Positives

Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
49.0 70 70 Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1