Skip to content

Commit

Permalink
testing changed detections
Browse files Browse the repository at this point in the history
  • Loading branch information
patel-bhavin committed Jul 9, 2024
1 parent f23d293 commit fd5c7a8
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ author: Michael Haag, Mauricio Velazco, Splunk
data_source: []
type: Anomaly
status: production
description: The following analytic detects multiple Okta accounts being locked out
description: The following analytic detects multiple Okta accounts being locked out
within a short period. It uses the user.account.lock event from Okta logs, aggregated
over a 5-minute window, to identify this behavior. This activity is significant
as it may indicate a brute force or password spraying attack, where an adversary
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ author: Mauricio Velazco, Splunk
data_source: []
type: Anomaly
status: production
description: The following analytic identifies multiple failed multi-factor authentication
description: The following analytic identifies multiple failed multi-factor authentication
(MFA) requests for a single user within an Okta tenant. It triggers when more than
10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern.
This activity is significant as it may indicate an adversary attempting to bypass
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ author: John Murphy, Okta, Michael Haag, Splunk
type: Hunting
status: experimental
data_source: []
description: 'The following analytic detects multiple failed attempts to access applications
description: 'The following analytic detects multiple failed attempts to access applications
in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages
Okta logs to evaluate policy and SSO events, aggregating data by user, session,
and IP. The detection triggers when more than half of the app sign-on attempts are
Expand Down

0 comments on commit fd5c7a8

Please sign in to comment.