Okta User Logins from Multiple Cities

name: Okta User Logins from Multiple Cities
id: a3d1df37-c2a9-41d0-aa8f-59f82d6192a8
version: 7
date: '2026-03-10'
author: Bhavin Patel, Splunk
data_source:
    - Okta
type: Anomaly
status: production
description: The following analytic identifies instances where the same Okta user logs in from different cities within a 24-hour period. This detection leverages Okta Identity Management logs, analyzing login events and their geographic locations. Such behavior is significant as it may indicate a compromised account, with an attacker attempting unauthorized access from multiple locations. If confirmed malicious, this activity could lead to account takeovers and data breaches, allowing attackers to access sensitive information and potentially escalate their privileges within the environment.
search: |-
    | tstats  `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature  values(Authentication.method) as method FROM datamodel=Authentication
      WHERE Authentication.signature=user.session.start
      BY _time Authentication.src
    | `drop_dm_object_name("Authentication")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | iplocation src
    | stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action
      BY user
    | where distinct_city > 1
    | `okta_user_logins_from_multiple_cities_filter`
how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
known_false_positives: It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.
references:
    - https://attack.mitre.org/techniques/T1110/003/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized.
    risk_objects:
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: src
          type: ip_address
tags:
    analytic_story:
        - Okta Account Takeover
    asset_type: Okta Tenant
    mitre_attack_id:
        - T1586.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.log
          source: Okta
          sourcetype: OktaIM2:log