Navigation :

Multiple Okta Users With Invalid Credentails From The Same IP

Description

This search detects Okta login failures due to bad credentials for multiple users originating from the same ip address.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search detects Okta login failures due to bad credentials for multiple users originating from the same ip address.

SPL Difficulty

None

Journey

Stage 2

MITRE ATT&CK Tactics

Defense Evasion
Persistence
Privilege Escalation
Initial Access

MITRE ATT&CK Techniques

Valid Accounts

Default Accounts

Data Sources

Okta

   Help

Multiple Okta Users With Invalid Credentails From The Same IP Help

This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.

   Search

`okta` outcome.reason=INVALID_CREDENTIALS | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(user) as distinct_users values(user) as users by src_ip, displayMessage, outcome.reason, country, state, city  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |  search distinct_users > 5| `multiple_okta_users_with_invalid_credentails_from_the_same_ip_filter`
Open in Search