Okta account unlock by admin

Cortex XSIAM Analytics Alert Reference by Alert name

Product
Cortex XSIAM
Last date published
2025-01-19
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Okta Audit Log

Detection Modules

Identity Threat Module

Detector Tags

Okta Audit Analytics

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Informational

Description

An administrative user unlocked an Okta account.

Attacker's Goals

The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.

Investigative actions

  • Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities.
  • Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise.
  • Examine the user's actions preceding and following the activation of the alert.
  • Initiate contact with the user to verify the authenticity of the account unlock action.
  • Check account the user successfully authenticated after the event.
  • Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

Variations

Suspicious Okta account unlock by admin

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Low

Description

An administrative user unlocked an Okta account.

Attacker's Goals

The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.

Investigative actions

  • Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities.
  • Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise.
  • Examine the user's actions preceding and following the activation of the alert.
  • Initiate contact with the user to verify the authenticity of the account unlock action.
  • Check account the user successfully authenticated after the event.
  • Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.