--- title: Okta ThreatInsight login failure spikes with unknown users description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Okta ThreatInsight login failure spikes with unknown users --- # Okta ThreatInsight login failure spikes with unknown users Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) ## Goal{% #goal %} Detects when Okta ThreatInsight identifies a spike in login failures involving a high count of unknown usernames. ## Strategy{% #strategy %} This rule monitors Okta logs for `security.threat.detected` events where `@outcome.reason` is `Login failures with high unknown users count` and `@debugContext.debugData.threatSuspected` is `true`. [Okta ThreatInsight](https://help.okta.com/en-us/content/topics/security/threat-insight/about-threatinsight) is a built-in threat detection engine that analyzes authentication patterns across the Okta tenant. This specific alert fires when ThreatInsight observes a surge of failed login attempts using usernames that do not exist in the organization's directory. This pattern is characteristic of credential stuffing attacks, where an attacker tests large volumes of username and password pairs from breached credential databases against the Okta login endpoint. ## Triage and response{% #triage-and-response %} - Review the IP address associated with the login failures to determine if it belongs to a known hosting provider, VPN service, or residential ISP. - Examine the source IP addresses generating the failed login attempts and check whether any of them have also produced successful authentications for valid accounts. - Identify any valid usernames that were attempted alongside the unknown usernames to determine if existing accounts are being targeted within the same campaign. - Check if Okta ThreatInsight is configured in audit-only mode or enforcement mode, and verify whether the offending IP addresses were automatically blocked. - Review whether the volume and timing of login failures correlate with known credential dump releases or ongoing campaigns.