Okta Multiple Accounts Locked Out

name: Okta Multiple Accounts Locked Out
id: a511426e-184f-4de6-8711-cfd2af29d1e1
version: 8
date: '2026-03-10'
author: Michael Haag, Mauricio Velazco, Splunk
data_source:
    - Okta
type: Anomaly
status: production
description: The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary attempts to guess passwords, leading to account lockouts. If confirmed malicious, this could result in potential account takeovers or unauthorized access to sensitive Okta accounts, posing a significant security risk.
search: |-
    | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user FROM datamodel=Change
      WHERE All_Changes.change_type=AAA All_Changes.object_category=User
        AND
        All_Changes.action=lockout
        AND
        All_Changes.command=user.account.lock
      BY _time span=5m All_Changes.result
         All_Changes.command sourcetype All_Changes.src
         All_Changes.dest
    | where count > 5
    | `drop_dm_object_name("All_Changes")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `okta_multiple_accounts_locked_out_filter`
how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
known_false_positives: Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity.
references:
    - https://attack.mitre.org/techniques/T1110/
    - https://splunkbase.splunk.com/app/6553
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized.
    risk_objects:
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: src
          type: ip_address
tags:
    analytic_story:
        - Okta Account Takeover
    asset_type: Okta Tenant
    mitre_attack_id:
        - T1110
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log
          source: Okta
          sourcetype: OktaIM2:log