For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-laz.md. A documentation index is available at /llms.txt.

Okta ThreatInsight login failure spikes with unknown users

okta

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Goal

Detects when Okta ThreatInsight identifies a spike in login failures involving a high count of unknown usernames.

Strategy

This rule monitors Okta logs for security.threat.detected events where @outcome.reason is Login failures with high unknown users count and @debugContext.debugData.threatSuspected is true. Okta ThreatInsight is a built-in threat detection engine that analyzes authentication patterns across the Okta tenant.

This specific alert fires when ThreatInsight observes a surge of failed login attempts using usernames that do not exist in the organization’s directory. This pattern is characteristic of credential stuffing attacks, where an attacker tests large volumes of username and password pairs from breached credential databases against the Okta login endpoint.

Triage and response

  • Review the IP address associated with the login failures to determine if it belongs to a known hosting provider, VPN service, or residential ISP.
  • Examine the source IP addresses generating the failed login attempts and check whether any of them have also produced successful authentications for valid accounts.
  • Identify any valid usernames that were attempted alongside the unknown usernames to determine if existing accounts are being targeted within the same campaign.
  • Check if Okta ThreatInsight is configured in audit-only mode or enforcement mode, and verify whether the offending IP addresses were automatically blocked.
  • Review whether the volume and timing of login failures correlate with known credential dump releases or ongoing campaigns.