GitHub Repo

Data Source: Okta

Date: 2026-05-13

ID: ec26febe-e760-4981-bbee-72e107c7b9d2

Author: Patrick Bareiss, Splunk

Description

Logs authentication and administrative activities captured by Okta, including user login attempts, session management, and configuration changes.

Details

Property Value
Source Okta
Sourcetype OktaIM2:log
Name ▲▼ Technique ▲▼ Type ▲▼
Okta Multiple Accounts Locked Out Brute Force Anomaly
Okta Multi-Factor Authentication Disabled Multi-Factor Authentication TTP
Okta Multiple Users Failing To Authenticate From Ip Password Spraying Anomaly
Okta Suspicious Use of a Session Cookie Steal Web Session Cookie Anomaly
Okta New API Token Created Default Accounts TTP
Okta Phishing Detection with FastPass Origin Check Default Accounts, Modify Authentication Process TTP
Okta New Device Enrolled on Account Device Registration TTP
Okta IDP Lifecycle Modifications Cloud Account Anomaly
Okta Suspicious Activity Reported Default Accounts TTP
Okta Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation Anomaly
Okta Risk Threshold Exceeded Valid Accounts, Brute Force Correlation
Okta Unauthorized Access to Application Cloud Account Anomaly
Okta User Logins from Multiple Cities Cloud Accounts Anomaly
Okta Multiple Failed Requests to Access Applications Cloud Service Dashboard, Web Session Cookie Hunting
Okta Mismatch Between Source and Response for Verify Push Request Multi-Factor Authentication Request Generation TTP
Okta MFA Exhaustion Hunt Brute Force Hunting
Okta Successful Single Factor Authentication Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation Anomaly
Okta Authentication Failed During MFA Challenge Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Okta ThreatInsight Threat Detected Cloud Accounts Anomaly
Okta Non-Standard VPN Usage Valid Accounts, Proxy, Protocol Tunneling TTP
Geographic Improbable Location Valid Accounts Anomaly

Supported Apps

Required Output Fields

  • dest

  • src

  • user

Source: GitHub | Version: 3