Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
Okta Audit Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An administrative user unlocked an Okta account.
Attacker's Goals
The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.
Investigative actions
- Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities.
- Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise.
- Examine the user's actions preceding and following the activation of the alert.
- Initiate contact with the user to verify the authenticity of the account unlock action.
- Check account the user successfully authenticated after the event.
- Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.