Suspicious login using a sprayed password
This detection indicates that a user successfully signed in to Okta using a password that's been identified in a password spray campaign.
Detection risk level: Medium
This detection means that either an attacker was able to enter a sprayed password to sign in, or that a valid user signed in with a password that's been identified in a password spray campaign.
MITRE tactic
MITRE technique
Brute Force: Password Spraying
Policy configuration
In your entity risk policy, set these conditions:
- Detection: Suspicious Login Using a Sprayed Password
- Take this action: Universal Logout, and run a Workflow to expire the user's password
System Log query
eventType eq "user.risk.detect" and debugContext.debugData.risk co
"detectionName=Suspicious Login Using A Sprayed Password"
Remediation strategy
- Automated action from your entity risk policy: The user's password is expired immediately, and they're required to set a new one the next time that they sign in. If the user doesn't sign in (and therefore doesn't reset their password), their password remains exposed.
- Additional action: Configure the Password expiry rule for the Okta account management policy to enforce MFA during password resets.