Multiple Okta User Authentication Events with Client Address

Last updated a month ago on 2025-07-16

Created a year ago on 2024-06-17

About

Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.

Tags

Use Case: Identity and Access AuditData Source: OktaTactic: Credential AccessLanguage: esql

Severity

low

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

↳ Brute Force (T1110)(opens in a new tab or window)

False Positive Examples

Users may share an endpoint related to work or personal use in which separate Okta accounts are used.Shared systems such as Kiosks and conference room computers may be used by multiple users.

License

Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: okta(opens in a new tab or window)
Query

from logs-okta*
| where
    event.dataset == "okta.system" and
    (event.action == "user.session.start" or event.action rlike "user\.authentication(.*)") and
    okta.outcome.reason == "INVALID_CREDENTIALS"
| keep
    okta.client.ip,
    okta.actor.alternate_id,
    okta.actor.id,
    event.action,
    okta.outcome.reason
| stats
    Esql.okta_actor_id_count_distinct = count_distinct(okta.actor.id)
  by
    okta.client.ip,
    okta.actor.alternate_id
| where
    Esql.okta_actor_id_count_distinct > 5
| sort
    Esql.okta_actor_id_count_distinct desc

Install detection rules in Elastic Security

Detect Multiple Okta User Authentication Events with Client Address in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).