IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Hex Encoding/Decoding Activity High Number of Process and/or Service Terminations »

› › ›

High Number of Okta User Password Reset or Unlock Attempts

edit

High Number of Okta User Password Reset or Unlock Attempts

edit

Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target’s environment and evade detection.

Rule type: threshold

Rule indices:

filebeat-*
logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Identity
Okta
Continuous Monitoring
SecOps
Identity and Access

Version: 2 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.11.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positives

edit

The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.

Investigation guide

edit

The Okta Filebeat module must be enabled to use this rule.

Rule query

edit

event.dataset:okta.system and
event.action:(system.email.account_unlock.sent_message or
system.email.password_reset.sent_message or
system.sms.send_account_unlock_message or
system.sms.send_password_reset_message or
system.voice.send_account_unlock_call or
system.voice.send_password_reset_call or user.account.unlock_token)

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

Rule version history

edit

Version 2 (7.11.0 release)

Formatting only

« Hex Encoding/Decoding Activity High Number of Process and/or Service Terminations »