Okta User Account Locked Out
Detects when an user account is locked out.
Sigma rule (View on GitHub)
1title: Okta User Account Locked Out
2id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a
3status: test
4description: Detects when an user account is locked out.
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://developer.okta.com/docs/reference/api/event-types/
8author: Austin Songer @austinsonger
9date: 2021/09/12
10modified: 2022/10/09
11tags:
12 - attack.impact
13 - attack.t1531
14logsource:
15 product: okta
16 service: okta
17detection:
18 selection:
19 displaymessage: Max sign in attempts exceeded
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
Related rules
- Cisco Denial of Service
- Cisco File Deletion
- Cisco Modify Configuration
- Delete Volume Shadow Copies via WMI with PowerShell - PS Script
- Powershell Add Name Resolution Policy Table Rule