heroui logo

Okta User Account Locked Out

Sigma Rules

View Source
Summary
This detection rule is designed to identify instances where an Okta user account becomes locked out due to exceeding the maximum number of sign-in attempts allowed. The rule leverages Okta's system log events to monitor for the specific display message indicating a lockout situation. When a user fails to authenticate successfully multiple times, Okta will lock the account as a security measure. Therefore, this rule helps in alerting security teams to potential unauthorized access attempts or brute force attacks targeting user accounts. The detection is contingent upon the presence of the message 'Max sign in attempts exceeded' in the log entries generated by Okta. The associated references provide insights into Okta's API events and types that can assist further analysis and remediation actions if necessary. It is categorized under a medium level of severity due to the potential impact on user accounts and organizational security.
Categories
  • Cloud
  • Identity Management
Data Sources
  • User Account
  • Logon Session
Created: 2021-09-12