Try in Splunk Security Cloud

Description

The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary attempts to guess passwords, leading to account lockouts. If confirmed malicious, this could result in potential account takeovers or unauthorized access to sensitive Okta accounts, posing a significant security risk.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • Last Updated: 2024-05-11
  • Author: Michael Haag, Mauricio Velazco, Splunk
  • ID: a511426e-184f-4de6-8711-cfd2af29d1e1

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1110 Brute Force Credential Access
Kill Chain Phase
  • Exploitation
NIST
  • DE.AE
CIS20
  • CIS 10
CVE 


1
2
3
4
5
6
7



| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src 
| where count > 5 
| `drop_dm_object_name("All_Changes")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_multiple_accounts_locked_out_filter`

Macros

The SPL above uses the following Macros:

:information_source: okta_multiple_accounts_locked_out_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • All_Changes.change_type
  • All_Changes.object_category
  • All_Changes.action
  • All_Changes.command
  • All_Changes.result
  • All_Changes.src
  • sourcetype

How To Implement

The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).

Known False Positives

Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
49.0 70 70 Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2