diff --git a/detections/application/okta_multiple_accounts_locked_out.yml b/detections/application/okta_multiple_accounts_locked_out.yml index 7771f9cfa8..1198286cc5 100644 --- a/detections/application/okta_multiple_accounts_locked_out.yml +++ b/detections/application/okta_multiple_accounts_locked_out.yml @@ -6,7 +6,7 @@ author: Michael Haag, Mauricio Velazco, Splunk data_source: [] type: Anomaly status: production -description: The following analytic detects multiple Okta accounts being locked out +description: The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml index d0a539de30..7a6ab9e7a3 100644 --- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml @@ -6,7 +6,7 @@ author: Mauricio Velazco, Splunk data_source: [] type: Anomaly status: production -description: The following analytic identifies multiple failed multi-factor authentication +description: The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Okta tenant. It triggers when more than 10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern. This activity is significant as it may indicate an adversary attempting to bypass diff --git a/detections/application/okta_multiple_failed_requests_to_access_applications.yml b/detections/application/okta_multiple_failed_requests_to_access_applications.yml index 56a07ee4db..389d3f0156 100644 --- a/detections/application/okta_multiple_failed_requests_to_access_applications.yml +++ b/detections/application/okta_multiple_failed_requests_to_access_applications.yml @@ -6,7 +6,7 @@ author: John Murphy, Okta, Michael Haag, Splunk type: Hunting status: experimental data_source: [] -description: 'The following analytic detects multiple failed attempts to access applications +description: 'The following analytic detects multiple failed attempts to access applications in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages Okta logs to evaluate policy and SSO events, aggregating data by user, session, and IP. The detection triggers when more than half of the app sign-on attempts are