Okta account reset password attempt

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-03-17
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:
    • Okta Audit Log

Detection Modules

Identity Threat Module

Detector Tags

Okta Audit Analytics

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Informational

Description

A user used a weak factor to reset their Okta password.

Attacker's Goals

The attacker might deceive the victim into resetting their password, a common tactic in account takeover schemes.

Investigative actions

  • Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities.
  • Reach out to the user to confirm the legitimacy of the recent password reset activity.
  • Examine the IP address and assess its reputation.
  • Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

Variations

Suspicious Okta account reset password attempt

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Low

Description

A user used a weak factor to reset their Okta password.

Attacker's Goals

The attacker might deceive the victim into resetting their password, a common tactic in account takeover schemes.

Investigative actions

  • Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities.
  • Reach out to the user to confirm the legitimacy of the recent password reset activity.
  • Examine the IP address and assess its reputation.
  • Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.