---
title: Okta Identity Threat Protection detected brute force attack
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Okta Identity Threat Protection
  detected brute force attack
---

# Okta Identity Threat Protection detected brute force attack
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1110-brute-force](https://attack.mitre.org/techniques/T1110) 
## Goal{% #goal %}

Detects when Okta Identity Threat Protection identifies an MFA brute force attack against a user account.

## Strategy{% #strategy %}

This rule monitors Okta logs for `user.risk.detect` events where the `@debugContext.debugData.risk` field references an MFA brute force attempt. [Okta Identity Threat Protection (ITP)](https://help.okta.com/oie/en-us/content/topics/itp/overview) is a built-in risk engine that analyzes authentication patterns in real time. When ITP flags a brute force attack, it indicates that an attacker is repeatedly attempting to satisfy MFA challenges for a targeted account, which can lead to unauthorized access if a weak or fatigued factor is eventually accepted.

## Triage and response{% #triage-and-response %}

- Identify the user account targeted by the brute force attack and determine if the MFA challenge was ultimately satisfied or if all attempts were denied.
- Review authentication logs from `{{@network.client.ip}}` to assess the volume and timing of the failed MFA attempts.
- Check whether the targeted user reported receiving unexpected MFA push notifications or one-time passcode requests.
- Examine if `{{@network.client.ip}}` has been associated with other brute force or credential stuffing activity across additional accounts.
- Verify the MFA factors enrolled for the targeted account and determine if weaker methods such as SMS or push notifications without number matching are in use.