New

The executive guide to generative AI

Read more

Attempts to Brute Force an Okta User Account

edit

Attempts to Brute Force an Okta User Account

edit

Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.

Rule type: threshold

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-180m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 102

Rule authors:

  • Elastic
  • @BenB196
  • Austin Songer

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit
event.dataset:okta.system and event.action:user.account.lock

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback