Suspected brute force attack

This detection indicates that Okta has observed a high rate of failed password or MFA-based sign-in attempts, consistent with a brute force attack.

Detection risk level: Medium

A brute force attack pattern suggests that an actor is trying to guess the user's password or a valid MFA code. Remediation of this detection reduces the likelihood of account takeover.

Policy configuration

• Detection: Suspected Brute Force Attack
• Take this action: Run a Workflow to send a medium-priority alert to the SOC team for investigation

Remediation strategy

1. Investigate: The SOC team should review the System Log for the failed sign-in attempts. Identify the source IPs and the targeted account.

2. Block the threat: Enable ThreatInsight in block mode. Add the attack-source IPs to a blocked network zone.

3. Contact the user: Proactively notify the user that they're being attacked (even if unsuccessfully). Advise them to set a strong, unique password. Reset other factors if necessary.