Multiple Okta Users With Invalid Credentials From The Same IP
THIS IS A DEPRECATED DETECTION
This detection has been marked deprecated by the Splunk Threat Research team. This means that it will no longer be maintained or supported.
Description
DEPRECATION NOTE - This search has been deprecated and replaced with Okta Multiple Users Failing To Authenticate From Ip
. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-02-29
- Author: Michael Haag, Mauricio Velazco, Rico Valdez, Splunk
- ID: 19cba45f-cad3-4032-8911-0c09e0444552
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
- Installation
- Delivery
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
`okta` eventType=user.session.start outcome.result=FAILURE
| rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city
| stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search distinct_users > 5
| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter`
Macros
The SPL above uses the following Macros:
multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- outcome.reason
- client.geographicalContext.country
- client.geographicalContext.state
- client.geographicalContext.city
- user
- src_ip
- displayMessage
- eventType
- outcome.result
How To Implement
This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.
Known False Positives
A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter
to raise the threshold or except specific IP adresses from triggering this search.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
9.0 | 30 | 30 | Multple user accounts have failed to authenticate from a single IP. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://developer.okta.com/docs/reference/api/event-types/?q=INVALID_CREDENTIALS
- https://developer.okta.com/docs/reference/api/system-log/
- https://attack.mitre.org/techniques/T1110/003/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 3