Skip to content
Threat Feed
high advisory

Okta ThreatInsight Detection of Credential Access Attempts

Okta ThreatInsight detected events indicating password spraying, login failures, and high counts of unknown user login attempts, potentially leading to unauthorized access and credential compromise.

This brief focuses on threats detected by Okta ThreatInsight, a security feature within the Okta Identity Cloud platform. These threats include, but are not limited to, password spraying attacks, excessive login failures, and a high frequency of login attempts from previously unknown users. The activity is detected through Okta Identity Management logs and is flagged when the security.threat.detected event type is triggered. The alerts generated from these detections can indicate active credential compromise attempts targeting an organization's Okta-managed accounts. This activity matters to defenders as successful credential attacks can lead to unauthorized access, data breaches, and further lateral movement within the organization's network.

Attack Chain

  1. The attacker attempts to gain initial access using compromised or guessed credentials.
  2. Okta ThreatInsight monitors login attempts and identifies suspicious patterns (e.g., password spraying) based on the frequency of login failures and source IPs.
  3. When a threat threshold is met, Okta generates a security.threat.detected event.
  4. The event includes details about the source IP (src_ip), the application being accessed (app), and the reason for the threat detection (outcome.reason).
  5. The event is logged and ingested into the SIEM for analysis.
  6. The SOC analyst investigates the src_ip to determine if the activity is malicious.
  7. If the activity is malicious, the analyst takes action to block the src_ip and reset the compromised user's password.
  8. Successful compromise enables lateral movement, data exfiltration, or other malicious actions within the target environment.

Impact

Successful exploitation of Okta credentials can lead to widespread unauthorized access to applications and data protected by Okta. This can result in data breaches, financial loss, and reputational damage. The number of affected users and systems depends on the scope of the attacker's access. Organizations in all sectors that rely on Okta for identity management are at risk.

Recommendation

  • Deploy the Sigma rule Okta ThreatInsight Threat Detected to your SIEM using Okta logs to detect potentially malicious login attempts.
  • Investigate any alerts generated by the Okta ThreatInsight Threat Detected rule and block any malicious source IPs (src_ip) identified.
  • Monitor Okta logs for security.threat.detected events and correlate them with other security events to identify potential breaches.
  • Review and fine-tune Okta ThreatInsight settings to reduce false positives and ensure accurate threat detection, based on the documentation available at https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected.
  • Implement multi-factor authentication (MFA) for all Okta users to reduce the risk of credential compromise.

Detection coverage 2

Okta ThreatInsight Threat Detected

high

Detects threats identified by Okta ThreatInsight, such as password spraying and login failures.

sigma tactics: credential_access techniques: T1078.004 sources: webserver, okta

Okta ThreatInsight - High Number of Failed Logins from Single IP

medium

Detects a high number of failed login attempts from a single IP address, as reported by Okta ThreatInsight.

sigma tactics: credential_access techniques: T1110.003 sources: webserver, okta

Detection queries are available on the platform. Get full rules →