Potential Okta Password Spray (Multi-Source)

  1[metadata]
  2creation_date = "2026/02/19"
  3integration = ["okta"]
  4maturity = "production"
  5updated_date = "2026/02/19"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects potential password spray attacks where multiple source IPs target multiple Okta user accounts within a
 11time window, indicating coordinated attacks using IP rotation to evade single-source detection.
 12"""
 13false_positives = [
 14    "Large enterprises with many users experiencing simultaneous password issues during credential rotation events.",
 15    "Automated monitoring or penetration testing tools scanning from multiple IPs.",
 16]
 17from = "now-1h"
 18interval = "15m"
 19language = "esql"
 20license = "Elastic License v2"
 21name = "Potential Okta Password Spray (Multi-Source)"
 22note = """## Triage and analysis
 23
 24### Investigating Potential Okta Password Spray (Multi-Source)
 25
 26This rule identifies coordinated password spray attacks where multiple source IPs target multiple user accounts within a time window. This pattern indicates attackers using IP rotation to evade single-source detection while spraying passwords across the organization.
 27
 28#### Possible investigation steps
 29- Review the list of targeted user accounts and check if any authentications succeeded.
 30- Examine the source IPs and their ASN ownership for signs of proxy, VPN, or cloud infrastructure.
 31- Check if Okta flagged any of the sources as known threats or proxies.
 32- Analyze the attempts-per-user ratio to confirm spray behavior versus brute force.
 33- Review the geographic distribution of source IPs for coordination patterns.
 34- Cross-reference with successful authentication events to identify potential compromises.
 35
 36### False positive analysis
 37- Organization-wide password rotation or expiration events may cause widespread authentication failures.
 38- Misconfigured SSO or SAML integrations can cause batch failures from legitimate infrastructure.
 39- Penetration testing should be coordinated and whitelisted in advance.
 40
 41### Response and remediation
 42- If attack is confirmed, notify affected users and enforce password resets for potentially compromised accounts.
 43- Block attacking IP ranges at the network perimeter.
 44- Enable or strengthen MFA for targeted accounts.
 45- Review Okta sign-on policies to add additional friction for suspicious authentication patterns.
 46- Consider temporary lockdowns for highly targeted accounts.
 47"""
 48references = [
 49    "https://support.okta.com/help/s/article/Troubleshooting-Distributed-Brute-Force-andor-Password-Spray-attacks-in-Okta",
 50    "https://www.okta.com/identity-101/brute-force/",
 51    "https://developer.okta.com/docs/reference/api/event-types/",
 52    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
 53    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
 54    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
 55]
 56risk_score = 47
 57rule_id = "2d3c27d5-d133-4152-8102-8d051619ec4a"
 58setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."
 59severity = "medium"
 60tags = [
 61    "Domain: Identity",
 62    "Use Case: Identity and Access Audit",
 63    "Use Case: Threat Detection",
 64    "Data Source: Okta",
 65    "Data Source: Okta System Logs",
 66    "Tactic: Credential Access",
 67    "Resources: Investigation Guide",
 68]
 69timestamp_override = "event.ingested"
 70type = "esql"
 71
 72query = '''
 73FROM logs-okta.system-* METADATA _id, _version, _index
 74| WHERE
 75    event.dataset == "okta.system"
 76    AND (event.action LIKE "user.authentication.*" OR event.action == "user.session.start")
 77    AND okta.outcome.reason IN ("INVALID_CREDENTIALS", "LOCKED_OUT")
 78    AND okta.actor.alternate_id IS NOT NULL
 79
 80// Bucket into 15-minute windows and create user-source mapping for context
 81| EVAL
 82    Esql.time_bucket = DATE_TRUNC(15 minutes, @timestamp),
 83    Esql.user_source_info = CONCAT(
 84      "{\"user\":\"", okta.actor.alternate_id,
 85      "\",\"ip\":\"", COALESCE(okta.client.ip::STRING, "unknown"),
 86      "\",\"user_agent\":\"", COALESCE(okta.client.user_agent.raw_user_agent, "unknown"), "\"}"
 87    )
 88
 89// Aggregate across entire tenant per time bucket to detect distributed spray
 90| STATS
 91    Esql.unique_users = COUNT_DISTINCT(okta.actor.alternate_id),
 92    Esql.unique_source_ips = COUNT_DISTINCT(okta.client.ip),
 93    Esql.total_attempts = COUNT(*),
 94    Esql.unique_user_agents = COUNT_DISTINCT(okta.client.user_agent.raw_user_agent),
 95    Esql.unique_asns = COUNT_DISTINCT(source.as.number),
 96    Esql.unique_countries = COUNT_DISTINCT(client.geo.country_name),
 97    Esql.first_seen = MIN(@timestamp),
 98    Esql.last_seen = MAX(@timestamp),
 99    Esql.target_users = VALUES(okta.actor.alternate_id),
100    Esql.source_ip_values = VALUES(okta.client.ip),
101    Esql.user_source_mapping = VALUES(Esql.user_source_info),
102    Esql.event_action_values = VALUES(event.action),
103    Esql.user_agent_values = VALUES(okta.client.user_agent.raw_user_agent),
104    Esql.device_values = VALUES(okta.client.device),
105    Esql.is_proxy_values = VALUES(okta.security_context.is_proxy),
106    Esql.geo_country_values = VALUES(client.geo.country_name),
107    Esql.geo_city_values = VALUES(client.geo.city_name),
108    Esql.source_asn_values = VALUES(source.as.number),
109    Esql.source_asn_org_values = VALUES(source.as.organization.name),
110    Esql.threat_suspected_values = VALUES(okta.debug_context.debug_data.threat_suspected),
111    Esql.risk_level_values = VALUES(okta.debug_context.debug_data.risk_level),
112    Esql.risk_reasons_values = VALUES(okta.debug_context.debug_data.risk_reasons)
113  BY Esql.time_bucket
114
115// Calculate spray metrics
116| EVAL
117    Esql.attempts_per_user = Esql.total_attempts * 1.0 / Esql.unique_users,
118    Esql.attempts_per_ip = Esql.total_attempts * 1.0 / Esql.unique_source_ips,
119    Esql.users_per_ip = Esql.unique_users * 1.0 / Esql.unique_source_ips
120
121// Distributed spray: many IPs, many users, moderate spread across both
122// Key differentiator: attacks come from multiple IPs (evading per-IP rules)
123| WHERE
124    Esql.unique_source_ips >= 5
125    AND Esql.unique_users >= 8
126    AND Esql.total_attempts >= 25
127    AND Esql.attempts_per_user <= 5.0
128    AND Esql.users_per_ip >= 1.0
129
130| SORT Esql.total_attempts DESC
131| KEEP Esql.*
132'''
133
134
135[[rule.threat]]
136framework = "MITRE ATT&CK"
137[[rule.threat.technique]]
138id = "T1110"
139name = "Brute Force"
140reference = "https://attack.mitre.org/techniques/T1110/"
141[[rule.threat.technique.subtechnique]]
142id = "T1110.003"
143name = "Password Spraying"
144reference = "https://attack.mitre.org/techniques/T1110/003/"
145
146
147[rule.threat.tactic]
148id = "TA0006"
149name = "Credential Access"
150reference = "https://attack.mitre.org/tactics/TA0006/"