Potential Okta Brute Force (Multi-Source)

  1[metadata]
  2creation_date = "2026/02/19"
  3integration = ["okta"]
  4maturity = "production"
  5updated_date = "2026/02/19"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects potential brute force attacks against a single Okta user account from multiple source IPs, indicating
 11attackers rotating through proxy infrastructure to evade IP-based detection.
 12"""
 13false_positives = [
 14    "Users with legitimate multi-location access (mobile + home + office) experiencing concurrent login issues.",
 15    "Shared service accounts accessed from multiple legitimate infrastructure IPs.",
 16]
 17from = "now-30m"
 18language = "esql"
 19license = "Elastic License v2"
 20name = "Potential Okta Brute Force (Multi-Source)"
 21note = """## Triage and analysis
 22
 23### Investigating Potential Okta Brute Force (Multi-Source)
 24
 25This rule identifies a single user account receiving failed authentication attempts from multiple unique source IPs. This pattern indicates attackers rotating through proxy infrastructure to evade IP-based detection while targeting a specific account.
 26
 27#### Possible investigation steps
 28- Identify the targeted user account and determine if it has elevated privileges or sensitive access.
 29- Review the geographic distribution of source IPs for anomalies such as multiple countries or unusual locations.
 30- Examine the ASN ownership of source IPs for signs of proxy, VPN, or cloud infrastructure.
 31- Check if Okta flagged any of the sources as known threats or proxies.
 32- Determine if any authentication attempts succeeded following the failed attempts.
 33- Review the user's recent activity for signs of account compromise.
 34
 35### False positive analysis
 36- Users traveling internationally with mobile devices may generate failed attempts from multiple locations.
 37- Service accounts accessed from distributed legitimate infrastructure may trigger this rule.
 38- Corporate VPN exit nodes spread across regions could appear as multiple IPs for a single user.
 39
 40### Response and remediation
 41- If attack is confirmed, reset the user's password immediately.
 42- Review and potentially reset MFA for the targeted account.
 43- Block attacking IP addresses at the network perimeter.
 44- Consider implementing geo-restrictions for the targeted account if dispersed access is not expected.
 45- Monitor for any successful authentication that may indicate compromise.
 46"""
 47references = [
 48    "https://support.okta.com/help/s/article/Troubleshooting-Distributed-Brute-Force-andor-Password-Spray-attacks-in-Okta",
 49    "https://www.okta.com/identity-101/brute-force/",
 50    "https://developer.okta.com/docs/reference/api/event-types/",
 51    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
 52    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
 53    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
 54]
 55risk_score = 47
 56rule_id = "5889760c-9858-4b4b-879c-e299df493295"
 57setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."
 58severity = "medium"
 59tags = [
 60    "Domain: Identity",
 61    "Use Case: Identity and Access Audit",
 62    "Use Case: Threat Detection",
 63    "Data Source: Okta",
 64    "Data Source: Okta System Logs",
 65    "Tactic: Credential Access",
 66    "Resources: Investigation Guide",
 67]
 68timestamp_override = "event.ingested"
 69type = "esql"
 70
 71query = '''
 72FROM logs-okta.system-* METADATA _id, _version, _index
 73| WHERE event.dataset == "okta.system"
 74    AND (event.action LIKE "user.authentication.*" OR event.action == "user.session.start")
 75    AND okta.outcome.reason IN ("INVALID_CREDENTIALS", "LOCKED_OUT")
 76    AND okta.actor.alternate_id IS NOT NULL
 77
 78// Create source mapping for analyst context
 79| EVAL Esql.source_info = CONCAT(
 80    "{\"ip\":\"", COALESCE(okta.client.ip::STRING, "unknown"),
 81    "\",\"country\":\"", COALESCE(client.geo.country_name, "unknown"),
 82    "\",\"asn\":\"", COALESCE(source.as.organization.name, "unknown"),
 83    "\",\"user_agent\":\"", COALESCE(okta.client.user_agent.raw_user_agent, "unknown"), "\"}"
 84  )
 85
 86| STATS
 87    Esql.unique_source_ips = COUNT_DISTINCT(okta.client.ip),
 88    Esql.total_attempts = COUNT(*),
 89    Esql.unique_user_agents = COUNT_DISTINCT(okta.client.user_agent.raw_user_agent),
 90    Esql.unique_dt_hashes = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash),
 91    Esql.unique_asns = COUNT_DISTINCT(source.as.number),
 92    Esql.unique_countries = COUNT_DISTINCT(client.geo.country_name),
 93    Esql.first_seen = MIN(@timestamp),
 94    Esql.last_seen = MAX(@timestamp),
 95    Esql.source_ip_values = VALUES(okta.client.ip),
 96    Esql.source_mapping = VALUES(Esql.source_info),
 97    Esql.event_action_values = VALUES(event.action),
 98    Esql.user_agent_values = VALUES(okta.client.user_agent.raw_user_agent),
 99    Esql.device_values = VALUES(okta.client.device),
100    Esql.is_proxy_values = VALUES(okta.security_context.is_proxy),
101    Esql.geo_country_values = VALUES(client.geo.country_name),
102    Esql.geo_city_values = VALUES(client.geo.city_name),
103    Esql.source_asn_values = VALUES(source.as.number),
104    Esql.source_asn_org_values = VALUES(source.as.organization.name),
105    Esql.threat_suspected_values = VALUES(okta.debug_context.debug_data.threat_suspected),
106    Esql.risk_level_values = VALUES(okta.debug_context.debug_data.risk_level),
107    Esql.risk_reasons_values = VALUES(okta.debug_context.debug_data.risk_reasons)
108  BY okta.actor.alternate_id
109
110| EVAL
111    Esql.attempts_per_ip = Esql.total_attempts * 1.0 / Esql.unique_source_ips,
112    Esql.duration_seconds = DATE_DIFF("seconds", Esql.first_seen, Esql.last_seen)
113
114| WHERE
115    Esql.unique_source_ips >= 5
116    AND Esql.total_attempts >= 10
117    AND (
118        Esql.unique_countries >= 2 OR
119        Esql.unique_asns >= 3 OR
120        Esql.unique_source_ips >= 8 OR
121        Esql.unique_user_agents >= 3
122    )
123
124| SORT Esql.unique_source_ips DESC
125| KEEP Esql.*, okta.actor.alternate_id
126'''
127
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131[[rule.threat.technique]]
132id = "T1110"
133name = "Brute Force"
134reference = "https://attack.mitre.org/techniques/T1110/"
135[[rule.threat.technique.subtechnique]]
136id = "T1110.001"
137name = "Password Guessing"
138reference = "https://attack.mitre.org/techniques/T1110/001/"
139
140
141[rule.threat.tactic]
142id = "TA0006"
143name = "Credential Access"
144reference = "https://attack.mitre.org/tactics/TA0006/"