High Number of Okta User Password Reset or Unlock Attempts

Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/08/19"
  3integration = ["okta"]
  4maturity = "production"
  5updated_date = "2024/09/23"
  6
  7[rule]
  8author = ["Elastic", "@BenB196", "Austin Songer"]
  9description = """
 10Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain
 11unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their
 12target's environment and evade detection.
 13"""
 14false_positives = [
 15    """
 16    The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit
 17    this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new
 18    rule.
 19    """,
 20]
 21from = "now-60m"
 22index = ["filebeat-*", "logs-okta*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "High Number of Okta User Password Reset or Unlock Attempts"
 26note = """## Triage and analysis
 27
 28### Investigating High Number of Okta User Password Reset or Unlock Attempts
 29
 30This rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.
 31
 32#### Possible investigation steps:
 33- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.
 34- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.
 35- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.
 36- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.
 37- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.
 38- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.
 39
 40### False positive analysis:
 41- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.
 42- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.
 43
 44### Response and remediation:
 45- If unauthorized attempts are confirmed, initiate the incident response process.
 46- Reset the user's password and enforce MFA re-enrollment, if applicable.
 47- Block the IP address or device used in the attempts, if they appear suspicious.
 48- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.
 49- Consider a security review of your Okta policies and rules to ensure they follow security best practices.
 50
 51## Setup
 52
 53The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 54"""
 55references = [
 56    "https://developer.okta.com/docs/reference/api/system-log/",
 57    "https://developer.okta.com/docs/reference/api/event-types/",
 58    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
 59    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
 60    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
 61]
 62risk_score = 47
 63rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457"
 64severity = "medium"
 65tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"]
 66timestamp_override = "event.ingested"
 67type = "threshold"
 68
 69query = '''
 70event.dataset:okta.system and
 71  event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or
 72                system.sms.send_account_unlock_message or system.sms.send_password_reset_message or
 73                system.voice.send_account_unlock_call or system.voice.send_password_reset_call or
 74                user.account.unlock_token)
 75'''
 76
 77
 78[[rule.threat]]
 79framework = "MITRE ATT&CK"
 80[[rule.threat.technique]]
 81id = "T1078"
 82name = "Valid Accounts"
 83reference = "https://attack.mitre.org/techniques/T1078/"
 84
 85
 86[rule.threat.tactic]
 87id = "TA0005"
 88name = "Defense Evasion"
 89reference = "https://attack.mitre.org/tactics/TA0005/"
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1078"
 94name = "Valid Accounts"
 95reference = "https://attack.mitre.org/techniques/T1078/"
 96
 97
 98[rule.threat.tactic]
 99id = "TA0003"
100name = "Persistence"
101reference = "https://attack.mitre.org/tactics/TA0003/"
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1078"
106name = "Valid Accounts"
107reference = "https://attack.mitre.org/techniques/T1078/"
108
109
110[rule.threat.tactic]
111id = "TA0001"
112name = "Initial Access"
113reference = "https://attack.mitre.org/tactics/TA0001/"
114
115[rule.threshold]
116field = ["okta.actor.alternate_id"]
117value = 5

Triage and analysis

Investigating High Number of Okta User Password Reset or Unlock Attempts

This rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.

Possible investigation steps:

  • Identify the actor associated with the excessive attempts. The okta.actor.alternate_id field can be used for this purpose.
  • Determine the client used by the actor. You can look at okta.client.device, okta.client.ip, okta.client.user_agent.raw_user_agent, okta.client.ip_chain.ip, and okta.client.geographical_context.
  • Review the okta.outcome.result and okta.outcome.reason fields to understand the outcome of the password reset or unlock attempts.
  • Review the event actions associated with these attempts. Look at the event.action field and filter for actions related to password reset and account unlock attempts.
  • Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.
  • Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.

False positive analysis:

  • This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.
  • Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.

Response and remediation:

  • If unauthorized attempts are confirmed, initiate the incident response process.
  • Reset the user's password and enforce MFA re-enrollment, if applicable.
  • Block the IP address or device used in the attempts, if they appear suspicious.
  • If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.
  • Consider a security review of your Okta policies and rules to ensure they follow security best practices.

Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top