For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-0mc.md. A documentation index is available at /llms.txt.

Okta Identity Threat Protection detected brute force attack

okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Goal

Detects when Okta Identity Threat Protection identifies an MFA brute force attack against a user account.

Strategy

This rule monitors Okta logs for user.risk.detect events where the @debugContext.debugData.risk field references an MFA brute force attempt. Okta Identity Threat Protection (ITP) is a built-in risk engine that analyzes authentication patterns in real time. When ITP flags a brute force attack, it indicates that an attacker is repeatedly attempting to satisfy MFA challenges for a targeted account, which can lead to unauthorized access if a weak or fatigued factor is eventually accepted.

Triage and response

  • Identify the user account targeted by the brute force attack and determine if the MFA challenge was ultimately satisfied or if all attempts were denied.
  • Review authentication logs from {{@network.client.ip}} to assess the volume and timing of the failed MFA attempts.
  • Check whether the targeted user reported receiving unexpected MFA push notifications or one-time passcode requests.
  • Examine if {{@network.client.ip}} has been associated with other brute force or credential stuffing activity across additional accounts.
  • Verify the MFA factors enrolled for the targeted account and determine if weaker methods such as SMS or push notifications without number matching are in use.