Multiple Okta users failed to login from a single IP address
Description
AlphaSOC detected multiple failed Okta login attempts from a single IP address. While this could occur during legitimate scenarios , this pattern may also indicate brute force or password spraying attacks targeting multiple user accounts. Password reset attempts are exempt from detection to reduce false positives.
Impact
Successful credential attacks could result in unauthorized access to organizational resources, data theft, and lateral movement within the network. Compromised Okta accounts may serve as an entry point for deeper network penetration and privilege escalation.
Severity
| Severity | Condition |
|---|---|
Low | Multiple Okta users failed to login from a single IP address |
Investigation and Remediation
Review Okta authentication logs to identify the source IP address, affected accounts, and timing patterns of the failed login attempts. Block the suspicious IP address, reset passwords for the affected accounts, and enable multi-factor authentication if it is not already active. Analyze the logs for successful logins from the suspicious IP address, which may indicate a compromised account.
Known False Positives
- Multiple users accessing through shared network infrastructure such as corporate VPNs or proxy servers