Potential Okta Password Spray (Single Source)

calendar Feb 20, 2026 · Domain: Identity Use Case: Identity and Access Audit Tactic: Credential Access Data Source: Okta Data Source: Okta System Logs Resources: Investigation Guide  ·
Share on: linkedin copy

Detects potential password spray attacks where a single source IP attempts authentication against multiple Okta user accounts with repeated attempts per user, indicating common password guessing paced to avoid lockouts.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/07/16"
  3integration = ["okta"]
  4maturity = "production"
  5updated_date = "2026/02/19"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects potential password spray attacks where a single source IP attempts authentication against multiple Okta
 11user accounts with repeated attempts per user, indicating common password guessing paced to avoid lockouts.
 12"""
 13false_positives = [
 14    "Corporate proxy or VPN exit nodes may aggregate traffic from multiple legitimate users with login issues.",
 15    "Automated processes or misconfigured applications retrying authentication may trigger this rule.",
 16]
 17from = "now-1h"
 18interval = "15m"
 19language = "esql"
 20license = "Elastic License v2"
 21name = "Potential Okta Password Spray (Single Source)"
 22note = """## Triage and analysis
 23
 24### Investigating Potential Okta Password Spray (Single Source)
 25
 26This rule identifies a single source IP attempting authentication against multiple user accounts with repeated attempts per user over time. This pattern indicates password spraying where attackers try common passwords while pacing attempts to avoid lockouts.
 27
 28#### Possible investigation steps
 29- Identify the source IP and determine if it belongs to known proxy, VPN, or cloud infrastructure.
 30- Review the list of targeted user accounts and check if any authentications succeeded.
 31- Analyze the timing of attempts to determine if they are paced to avoid lockout thresholds.
 32- Check if Okta flagged the source as a known threat or proxy.
 33- Examine user agent strings for signs of automation or consistent tooling across attempts.
 34- Review the geographic location and ASN of the source IP for anomalies.
 35
 36### False positive analysis
 37- Corporate proxies or VPN exit nodes may aggregate traffic from multiple legitimate users with login issues.
 38- Automated processes or misconfigured applications retrying authentication may trigger this rule.
 39- Password rotation events may cause legitimate widespread authentication failures.
 40
 41### Response and remediation
 42- If attack is confirmed, block the source IP at the network perimeter.
 43- Notify targeted users and enforce password resets for accounts that may have been compromised.
 44- Enable or strengthen MFA for targeted accounts.
 45- Consider implementing CAPTCHA or additional friction for suspicious authentication patterns.
 46- Review Okta sign-on policies to ensure lockout thresholds are appropriately configured.
 47"""
 48references = [
 49    "https://support.okta.com/help/s/article/Troubleshooting-Distributed-Brute-Force-andor-Password-Spray-attacks-in-Okta",
 50    "https://www.okta.com/identity-101/brute-force/",
 51    "https://developer.okta.com/docs/reference/api/system-log/",
 52    "https://developer.okta.com/docs/reference/api/event-types/",
 53    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
 54    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
 55    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
 56]
 57risk_score = 47
 58rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0"
 59severity = "medium"
 60tags = [
 61    "Domain: Identity",
 62    "Use Case: Identity and Access Audit",
 63    "Tactic: Credential Access",
 64    "Data Source: Okta",
 65    "Data Source: Okta System Logs",
 66    "Resources: Investigation Guide",
 67]
 68timestamp_override = "event.ingested"
 69type = "esql"
 70
 71query = '''
 72FROM logs-okta.system-* METADATA _id, _version, _index
 73| WHERE
 74    event.dataset == "okta.system"
 75    AND (event.action LIKE "user.authentication.*" OR event.action == "user.session.start")
 76    AND okta.outcome.reason IN ("INVALID_CREDENTIALS", "LOCKED_OUT")
 77    AND okta.actor.alternate_id IS NOT NULL
 78// Build user-source context as JSON for enrichment
 79| EVAL Esql.user_source_info = CONCAT(
 80    "{\"user\":\"", okta.actor.alternate_id,
 81    "\",\"ip\":\"", COALESCE(okta.client.ip::STRING, "unknown"),
 82    "\",\"user_agent\":\"", COALESCE(okta.client.user_agent.raw_user_agent, "unknown"), "\"}"
 83  )
 84// FIRST STATS: Aggregate by (IP, user) to get per-user attempt counts
 85// This prevents skew from outlier users with many attempts
 86| STATS
 87    Esql.user_attempts = COUNT(*),
 88    Esql.user_source_info = VALUES(Esql.user_source_info),
 89    Esql.user_agents_per_user = VALUES(okta.client.user_agent.raw_user_agent),
 90    Esql.devices_per_user = VALUES(okta.client.device),
 91    Esql.is_proxy = VALUES(okta.security_context.is_proxy),
 92    Esql.geo_country = VALUES(client.geo.country_name),
 93    Esql.geo_city = VALUES(client.geo.city_name),
 94    Esql.asn_number = VALUES(source.as.number),
 95    Esql.asn_org = VALUES(source.as.organization.name),
 96    Esql.threat_suspected = VALUES(okta.debug_context.debug_data.threat_suspected),
 97    Esql.risk_level = VALUES(okta.debug_context.debug_data.risk_level),
 98    Esql.event_actions = VALUES(event.action),
 99    Esql.first_seen_user = MIN(@timestamp),
100    Esql.last_seen_user = MAX(@timestamp)
101  BY okta.client.ip, okta.actor.alternate_id
102// SECOND STATS: Aggregate by IP to detect password spray pattern
103// Now we can accurately measure the distribution of attempts across users
104| STATS
105    Esql.unique_users = COUNT(*),
106    Esql.total_attempts = SUM(Esql.user_attempts),
107    Esql.max_attempts_per_user = MAX(Esql.user_attempts),
108    Esql.min_attempts_per_user = MIN(Esql.user_attempts),
109    Esql.avg_attempts_per_user = AVG(Esql.user_attempts),
110    // Spray band: 2-6 attempts per user (deliberate slow spray below lockout)
111    Esql.users_in_spray_band = SUM(CASE(Esql.user_attempts >= 2 AND Esql.user_attempts <= 6, 1, 0)),
112    // Also track users with only 1 attempt (stuffing-like) for differentiation
113    Esql.users_with_single_attempt = SUM(CASE(Esql.user_attempts == 1, 1, 0)),
114    Esql.first_seen = MIN(Esql.first_seen_user),
115    Esql.last_seen = MAX(Esql.last_seen_user),
116    Esql.target_users = VALUES(okta.actor.alternate_id),
117    Esql.user_source_mapping = VALUES(Esql.user_source_info),
118    Esql.event_action_values = VALUES(Esql.event_actions),
119    Esql.user_agent_values = VALUES(Esql.user_agents_per_user),
120    Esql.device_values = VALUES(Esql.devices_per_user),
121    Esql.is_proxy_values = VALUES(Esql.is_proxy),
122    Esql.geo_country_values = VALUES(Esql.geo_country),
123    Esql.geo_city_values = VALUES(Esql.geo_city),
124    Esql.source_asn_values = VALUES(Esql.asn_number),
125    Esql.source_asn_org_values = VALUES(Esql.asn_org),
126    Esql.threat_suspected_values = VALUES(Esql.threat_suspected),
127    Esql.risk_level_values = VALUES(Esql.risk_level)
128  BY okta.client.ip
129// Calculate spray signature metrics
130| EVAL
131    // Percentage of users in the spray band (2-6 attempts)
132    Esql.pct_users_in_spray_band = Esql.users_in_spray_band * 100.0 / Esql.unique_users,
133    // Attack duration in minutes (spray is paced, not bursty)
134    Esql.attack_duration_minutes = DATE_DIFF("minute", Esql.first_seen, Esql.last_seen)
135// Password spraying detection logic:
136// - Many users targeted (>= 5)
137// - Hard cap below Okta lockout threshold (max <= 8 attempts per user)
138// - Majority of users in spray band (2-6 attempts) (at least 60%)
139// - Attack is paced over time (>= 5 minutes) (not a 10-second burst like stuffing)
140// - Minimum total attempts to reduce noise
141// Note: For IP rotation attacks, see "Distributed Password Spray Attack in Okta" rule
142| WHERE
143    Esql.unique_users >= 5
144    AND Esql.total_attempts >= 15
145    AND Esql.max_attempts_per_user <= 8
146    AND Esql.max_attempts_per_user >= 2
147    AND Esql.pct_users_in_spray_band >= 60.0
148    AND Esql.attack_duration_minutes >= 5
149| SORT Esql.total_attempts DESC
150| KEEP Esql.*, okta.client.ip
151'''
152
153
154[[rule.threat]]
155framework = "MITRE ATT&CK"
156[[rule.threat.technique]]
157id = "T1110"
158name = "Brute Force"
159reference = "https://attack.mitre.org/techniques/T1110/"
160[[rule.threat.technique.subtechnique]]
161id = "T1110.003"
162name = "Password Spraying"
163reference = "https://attack.mitre.org/techniques/T1110/003/"
164
165
166[rule.threat.tactic]
167id = "TA0006"
168name = "Credential Access"
169reference = "https://attack.mitre.org/tactics/TA0006/"

Triage and analysis

Investigating Potential Okta Password Spray (Single Source)

This rule identifies a single source IP attempting authentication against multiple user accounts with repeated attempts per user over time. This pattern indicates password spraying where attackers try common passwords while pacing attempts to avoid lockouts.

Possible investigation steps

  • Identify the source IP and determine if it belongs to known proxy, VPN, or cloud infrastructure.
  • Review the list of targeted user accounts and check if any authentications succeeded.
  • Analyze the timing of attempts to determine if they are paced to avoid lockout thresholds.
  • Check if Okta flagged the source as a known threat or proxy.
  • Examine user agent strings for signs of automation or consistent tooling across attempts.
  • Review the geographic location and ASN of the source IP for anomalies.

False positive analysis

  • Corporate proxies or VPN exit nodes may aggregate traffic from multiple legitimate users with login issues.
  • Automated processes or misconfigured applications retrying authentication may trigger this rule.
  • Password rotation events may cause legitimate widespread authentication failures.

Response and remediation

  • If attack is confirmed, block the source IP at the network perimeter.
  • Notify targeted users and enforce password resets for accounts that may have been compromised.
  • Enable or strengthen MFA for targeted accounts.
  • Consider implementing CAPTCHA or additional friction for suspicious authentication patterns.
  • Review Okta sign-on policies to ensure lockout thresholds are appropriately configured.

References

  • Okta Support Center (Lightning)

    Loading ×Sorry to interrupt CSS Error Refresh


    Read More

  • Brute force attacks: Understanding, types, and prevention | Okta

    Learn what a brute force attack is, how they work, common types, and 10 effective strategies to protect your organization from credential-based threats.


    Read More

  • System Log

    The Okta System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. The System Log API provides near real-time, read-only access to your organization's System Log and is the programmatic counterpart of the [System Log UI](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog). The terms "event" and "log event" are often used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system, and a "log" or "log event" is the recorded fact. The System Log API supports these primary use cases: * Event data export into a security information and event management system (SIEM) * System monitoring * Development debugging * Event introspection and audit > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). For further details and examples, see [System Log query](https://developer.okta.com/docs/reference/system-log-query/).


    Read More

  • Event Types | Okta Developer

    Secure, scalable, and highly available authentication and user management for any app.


    Read More

  • Testing your Okta visibility and detection with Dorothy and Elastic Security — Elastic Security Labs

    Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.


    Read More

  • Monitoring Okta threats with Elastic Security — Elastic Security Labs

    This article guides readers through establishing an Okta threat detection lab, emphasizing the importance of securing SaaS platforms like Okta. It details creating a lab environment with the Elastic Stack, integrating SIEM solutions, and Okta.


    Read More

  • Starter guide to understanding Okta — Elastic Security Labs

    This article delves into Okta's architecture and services, laying a solid foundation for threat research and detection engineering. Essential reading for those aiming to master threat hunting and detection in Okta environments.


    Read More

Related rules

to-top