Skip to content
Threat Feed
high advisory

Okta User Logins from Multiple Cities Within 24 Hours

This analytic identifies instances where the same Okta user logs in from different cities within a 24-hour period, potentially indicating a compromised account and leading to account takeovers and data breaches.

This detection identifies anomalous Okta user login activity where a single user authenticates from multiple geographically distinct cities within a 24-hour timeframe. This behavior is indicative of potential account compromise, where an attacker gains unauthorized access to a user's Okta account. The original Splunk ES/CU analytic was published on 2026-04-17. This activity matters for defenders because a compromised Okta account can grant attackers access to a wide range of applications and services integrated with Okta, leading to data breaches, privilege escalation, and further lateral movement within the organization's environment.

Attack Chain

  1. Attacker gains access to valid Okta user credentials through credential stuffing, phishing, or malware.
  2. Attacker initiates a login attempt to Okta from their location.
  3. Okta records the login attempt, including the user, source IP address, and geolocation.
  4. The legitimate user, or another attacker, initiates a separate login from a different city.
  5. Okta records the second login attempt with the new IP address and geolocation.
  6. A security monitoring system detects the multiple logins from different cities for the same user within 24 hours.
  7. The attacker leverages the compromised account to access applications and data protected by Okta.
  8. The attacker may escalate privileges or move laterally within the connected systems.

Impact

A successful account takeover can lead to unauthorized access to sensitive data, including customer information, financial records, and intellectual property. The impact can range from financial losses due to fraud to reputational damage and regulatory fines. Depending on the permissions of the compromised account, attackers may also be able to escalate privileges, move laterally to other systems, and cause widespread disruption. The number of potential victims is dependent on the scope of the Okta tenant and the applications connected to it.

Recommendation

  • Deploy the Sigma rule Okta User Logins from Multiple Cities to your SIEM and tune for your environment to detect the described behavior.
  • Investigate alerts generated by the Sigma rule Okta User Logins from Multiple Cities to determine the legitimacy of the login activity and take appropriate remediation steps if the account is compromised.
  • Enrich detections with threat intelligence to identify known malicious IP addresses or user agents.
  • Monitor Okta logs for suspicious activity, such as failed login attempts, changes to user profiles, or unusual application access patterns.

Detection coverage 2

Okta User Logins from Multiple Cities

high

Detects Okta users logging in from multiple cities within a short timeframe, indicating potential account compromise.

sigma tactics: initial_access techniques: T1110.003, T1586.003 sources: webserver, okta

Okta User Logins from Multiple Countries

high

Detects Okta users logging in from multiple countries within a short timeframe, indicating potential account compromise.

sigma tactics: initial_access techniques: T1110.003, T1586.003 sources: webserver, okta

Detection queries are available on the platform. Get full rules →