High Number of Okta User Password Reset or Unlock Attemptsedit

Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target’s environment and evade detection.

Rule type: threshold

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 2 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.11.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.

Investigation guideedit

The Okta Filebeat module must be enabled to use this rule.

Rule queryedit

event.dataset:okta.system and
event.action:(system.email.account_unlock.sent_message or
system.email.password_reset.sent_message or
system.sms.send_account_unlock_message or
system.sms.send_password_reset_message or
system.voice.send_account_unlock_call or
system.voice.send_password_reset_call or user.account.unlock_token)

Threat mappingedit


Rule version historyedit

Version 2 (7.11.0 release)
  • Formatting only