Name:Okta Failed SSO Attempts id:371a6545-2618-4032-ad84-93386b8698c5 version:6 date:2025-02-10 author:Michael Haag, Rico Valdez, Splunk status:deprecated type:Anomaly Description:**DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth app access attempt". Data_source:
search:`okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter`
how_to_implement:This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. known_false_positives:There may be a faulty config preventing legitmate users from accessing apps they should have access to. References: -https://developer.okta.com/docs/reference/api/event-types/?q=app.generic.unauth_app_access_attempt drilldown_searches:
: tags: analytic_story: - 'Suspicious Okta Activity' asset_type:Infrastructure mitre_attack_id: - 'T1078.001' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:access
