lsb08 (lsb08) asked a question.
Analyze OKTA login failure logs related to Password spray attack
While testing details related to Password spray attack with reference to OKTA we observed that there is huge number of raw logs available for a limited number of attempts. How to analyze these logs and confirm which are the actual login failure alerts and which are the duplicated/system generate/okta api generated logs ?
Can you please check the below and help me with unique details that can be used to separated the actual attack logs.
Image is not available
you can find the source id of the request whether it come from same. password spray like login from same source id but try different account with some simple password.
The source IP is same for all the requests. This is from only one user, only observed for a single user due to login failure. based on validation it was only from 1 user, and there were only 3 attempts but as per logs it showed 30 attempts. Different username/ different password attempts or different username/same password attempts not observed.
how often of the 30 attemps? maybe you should create a case with Okta support team.