Try in Splunk Security Cloud


This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes) within an Okta tenant. Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach security by targeting multiple user accounts.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • Last Updated: 2024-03-06
  • Author: Michael Haag, Mauricio Velazco, Splunk
  • ID: de365ffa-42f5-46b5-b43f-fa72290b8218




ID Technique Tactic
T1110.003 Password Spraying Credential Access
Kill Chain Phase
  • Exploitation
  • DE.AE
  • CIS 10
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) as signature values(Authentication.user) as user values( as app values(Authentication.authentication_method) as authentication_method from datamodel=Authentication where Authentication.action="failure" AND Authentication.signature=user.session.start by _time span=5m Authentication.src sourcetype 
| where unique_accounts > 9 
| `drop_dm_object_name("Authentication")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_multiple_users_failing_to_authenticate_from_ip_filter`


The SPL above uses the following Macros:

:information_source: okta_multiple_users_failing_to_authenticate_from_ip_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • Authentication.user
  • Authentication.signature
  • Authentication.user
  • Authentication.authentication_method
  • Authentication.action
  • Authentication.src

How To Implement

The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (

Known False Positives

A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.

Associated Analytic Story


Risk Score Impact Confidence Message
54.0 60 90 Multiple users failing to authenticate from a single source IP Address - [$src$]. Investigate further to determine if this was authorized.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1