IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Halfbaked Command and Control Beacon High Number of Process and/or Service Terminations »

› › ›

High Number of Okta User Password Reset or Unlock Attempts

edit

High Number of Okta User Password Reset or Unlock Attempts

edit

Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target’s environment and evade detection.

Rule type: threshold

Rule indices:

filebeat-*
logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Identity
Okta
Continuous Monitoring
SecOps
Identity and Access

Version: 5 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.14.0

Rule authors: Elastic, @BenB196, Austin Songer

Rule license: Elastic License v2

Potential false positives

edit

The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.

Investigation guide

edit

Config

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:okta.system and
event.action:(system.email.account_unlock.sent_message or
system.email.password_reset.sent_message or
system.sms.send_account_unlock_message or
system.sms.send_password_reset_message or
system.voice.send_account_unlock_call or
system.voice.send_password_reset_call or
user.account.unlock_token)

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

Rule version history

edit

Version 5 (7.14.0 release)

Updated query, changed from:

event.dataset:okta.system and
event.action:(system.email.account_unlock.sent_message or
system.email.password_reset.sent_message or
system.sms.send_account_unlock_message or
system.sms.send_password_reset_message or
system.voice.send_account_unlock_call or
system.voice.send_password_reset_call or user.account.unlock_token)

Version 4 (7.13.0 release)

Formatting only

Version 3 (7.12.0 release)

Formatting only

Version 2 (7.11.0 release)

Formatting only

« Halfbaked Command and Control Beacon High Number of Process and/or Service Terminations »