Okta Multiple Accounts Locked Out

name: Okta Multiple Accounts Locked Out
id: a511426e-184f-4de6-8711-cfd2af29d1e1
version: 10
creation_date: '2024-04-17'
modification_date: '2026-05-13'
author: Michael Haag, Mauricio Velazco, Splunk
status: production
type: Anomaly
description: The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary attempts to guess passwords, leading to account lockouts. If confirmed malicious, this could result in potential account takeovers or unauthorized access to sensitive Okta accounts, posing a significant security risk.
data_source:
    - Okta
search: |-
    | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user FROM datamodel=Change
      WHERE All_Changes.change_type=AAA All_Changes.object_category=User
        AND
        All_Changes.action=lockout
        AND
        All_Changes.command=user.account.lock
      BY _time span=5m All_Changes.result
         All_Changes.command sourcetype All_Changes.src
         All_Changes.dest
    | where count > 5
    | `drop_dm_object_name("All_Changes")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `okta_multiple_accounts_locked_out_filter`
how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
known_false_positives: Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity.
references:
    - https://attack.mitre.org/techniques/T1110/
    - https://splunkbase.splunk.com/app/6553
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: user
          type: user
          score: 20
          message: Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized.
threat_objects:
    - field: src
      type: ip_address
analytic_story:
    - Okta Account Takeover
asset_type: Okta Tenant
mitre_attack_id:
    - T1110
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: application
security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log
          source: Okta
          sourcetype: OktaIM2:log
      test_type: unit