High Number of Okta User Password Reset or Unlock Attempts

edit

High Number of Okta User Password Reset or Unlock Attempts

edit

Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target’s environment and evade detection.

Rule type: threshold

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 2 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.11.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positives

edit

The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.

Investigation guide

edit

The Okta Filebeat module must be enabled to use this rule.

Rule query

edit
event.dataset:okta.system and
event.action:(system.email.account_unlock.sent_message or
system.email.password_reset.sent_message or
system.sms.send_account_unlock_message or
system.sms.send_password_reset_message or
system.voice.send_account_unlock_call or
system.voice.send_password_reset_call or user.account.unlock_token)

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 2 (7.11.0 release)
  • Formatting only