Suspicious login from an IP flagged in a credential based attack

This detection is recorded when an IP address previously involved in a high-volume failed login attack is used for to sign in to your org. High-volume attacks include password spraying or credential stuffing.

Detection risk level: High

This detection is an example of Okta's network effect. It considers the IP activity across all orgs in the Okta customer base to identify high-volume login attacks.

Policy configuration

In your entity risk policy, set these conditions:

• Detection: Suspicious Login From An IP Flagged In A Credential Based Attack
• Take this action: Universal Logout, or run a Workflow to notify the SOC team to begin an investigation

Remediation strategy

1. Immediate action: Based on your policy configuration, Universal Logout should terminate the session.

2. Block the threat: Add the malicious IP address to a blocked network zone to prevent any further login attempts from that IP address.

3. Investigate: Check for malicious activity in System Log events relevant to the flagged session.

4. Secure the account:

   • Contact the user through an out-of-band method (phone call, Slack/Teams) to confirm they weren't the source of the activity.

   • Initiate a mandatory password reset for the user.

   • Review all enrolled MFA factors with the user to ensure that the attacker didn't register their own device.