⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
Detect failed Okta SSO events
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-07-21
- Author: Rico Valdez, Splunk
- ID: 371a6545-2618-4032-ad84-93386b8698c5
|T1078.001||Default Accounts||Defense Evasion, Persistence, Privilege Escalation, Initial Access|
`okta` displayMessage="User attempted unauthorized access to app" | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter`
Associated Analytic Story
How To Implement
This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.
Kill Chain Phase
Known False Positives
There may be a faulty config preventing legitmate users from accessing apps they should have access to.
source | version: 2