High Number of Okta User Password Reset or Unlock Attempts

About

Tags

Use Case: Identity and Access AuditData Source: OktaTactic: Defense Evasion

Severity

medium

Risk Score

47

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

Initial Access (TA0001)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

False Positive Examples

The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Threshold Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

filebeat-*logs-okta*

Related Integrations

okta(opens in a new tab or window)

Query

event.dataset:okta.system and
  event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or
                system.sms.send_account_unlock_message or system.sms.send_password_reset_message or
                system.voice.send_account_unlock_call or system.voice.send_password_reset_call or
                user.account.unlock_token)