heroui logo

Okta Account Locked Out

Splunk Security Content

View Source
Summary
The 'Okta Account Locked Out' detection rule is designed to identify instances where user accounts within the Okta platform have been lockout due to multiple failed authentication attempts, possibly indicating a brute-force or password spraying attack. This rule utilizes the 'user.account.lock' event from Okta to capture events related to account lockouts. In this analytic, events are filtered and aggregated based on the source IP address, where it counts the number of lockouts. If the event count from a specific source IP exceeds a threshold (more than or equal to 3), it flags this as a potential security concern, indicating that multiple accounts may have been subjected to a lockout, often due to malicious intent. However, it is important to note that this rule has been deprecated and replaced by the 'Okta Multiple Accounts Locked Out' rule. Users are advised to migrate to the updated rule for ongoing protection.
Categories
  • Identity Management
  • Cloud
  • Application
Data Sources
  • User Account
  • Cloud Service
ATT&CK Techniques
  • T1110
Created: 2024-11-14