High Number of Okta User Password Reset or Unlock Attemptsedit

Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target’s environment and evade detection.

Rule type: threshold

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 5 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.14.0

Rule authors: Elastic, @BenB196, Austin Songer

Rule license: Elastic License v2

Potential false positivesedit

The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.

Investigation guideedit

## Config

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule queryedit

event.dataset:okta.system and
event.action:(system.email.account_unlock.sent_message or
system.email.password_reset.sent_message or
system.sms.send_account_unlock_message or
system.sms.send_password_reset_message or
system.voice.send_account_unlock_call or
system.voice.send_password_reset_call or
user.account.unlock_token)

Threat mappingedit

Framework: MITRE ATT&CKTM

Rule version historyedit

Version 5 (7.14.0 release)
  • Updated query, changed from:

    event.dataset:okta.system and
    event.action:(system.email.account_unlock.sent_message or
    system.email.password_reset.sent_message or
    system.sms.send_account_unlock_message or
    system.sms.send_password_reset_message or
    system.voice.send_account_unlock_call or
    system.voice.send_password_reset_call or user.account.unlock_token)
Version 4 (7.13.0 release)
  • Formatting only
Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Formatting only