Attempts to Brute Force an Okta User Account

 1[metadata]
 2creation_date = "2020/08/19"
 3integration = ["okta"]
 4maturity = "production"
 5updated_date = "2024/09/23"
 6
 7[rule]
 8author = ["Elastic", "@BenB196", "Austin Songer"]
 9description = """
10Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute
11force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy
12ensures that a user account is locked out after 10 failed authentication attempts.
13"""
14from = "now-180m"
15index = ["filebeat-*", "logs-okta*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Attempts to Brute Force an Okta User Account"
19note = """## Triage and analysis
20
21### Investigating Attempts to Brute Force an Okta User Account
22
23Brute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.
24
25This rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.
26
27#### Possible investigation steps:
28
29- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.
30- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.
31- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.
32- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.
33- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.
34- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.
35- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.
36
37### False positive analysis:
38
39- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.
40- Ensure there are no known network or application issues that might cause these events.
41
42### Response and remediation:
43
44- Alert the user and your IT department immediately.
45- If unauthorized access is confirmed, initiate your incident response process.
46- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.
47- Require the affected user to change their password.
48- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.
49- Implement account lockout policies to limit the impact of brute force attacks.
50- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.
51- Check if the compromised account was used to access or alter any sensitive data or systems.
52
53## Setup
54
55The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
56references = [
57    "https://developer.okta.com/docs/reference/api/system-log/",
58    "https://developer.okta.com/docs/reference/api/event-types/",
59    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
60    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
61    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
62]
63risk_score = 47
64rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49"
65severity = "medium"
66tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
67timestamp_override = "event.ingested"
68type = "threshold"
69
70query = '''
71event.dataset:okta.system and event.action:user.account.lock
72'''
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1110"
79name = "Brute Force"
80reference = "https://attack.mitre.org/techniques/T1110/"
81
82
83[rule.threat.tactic]
84id = "TA0006"
85name = "Credential Access"
86reference = "https://attack.mitre.org/tactics/TA0006/"
87
88[rule.threshold]
89field = ["okta.actor.alternate_id"]
90value = 3