---
title: Okta suspicious user login after breach credentials detected
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Okta suspicious user login after breach
  credentials detected
---

# Okta suspicious user login after breach credentials detected
Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) 
## Goal{% #goal %}

Detects when a user successfully authenticates or changes their password from an unfamiliar device or location after Okta identifies their credentials in a known breach.

## Strategy{% #strategy %}

This rule monitors Okta logs for a two-stage sequence. First, a `security.breached_credential.detected` event indicates that Okta has identified a user's credentials in a public data breach. Then, within the evaluation window, the same user performs a successful authentication (`user.authentication.*`), password reset (`user.account.reset_password`), or password update (`user.account.update_password`) from an unfamiliar device or geo-location, as indicated by `@debugContext.debugData.behaviors` containing `Device=POSITIVE` or `Geo-Location=POSITIVE`.

The combination of exposed credentials followed by activity from an unrecognized source is a strong indicator that an attacker has obtained the breached credentials and is actively using them to access or take over the account.

## Triage and response{% #triage-and-response %}

- Review the `security.breached_credential.detected` event for `{{@usr.email}}` to understand when the breach notification occurred and which credential source was identified.
- Examine the follow-up authentication or password change event to determine the source IP, device, and geo-location, and assess whether they are consistent with the user's normal activity.
- Contact `{{@usr.email}}` to verify whether they initiated the login or password change from the flagged device or location.
- Check if the user's password was changed after the breach notification, and determine whether the reset was performed by the user or by an attacker who already had access.
- Review subsequent session activity for `{{@usr.email}}` to identify any application access, privilege changes, or data exfiltration that occurred after the suspicious authentication.
- Determine if other accounts with credentials from the same breach source have shown similar authentication anomalies.