From 177cfc85bfdf83e7edc4ebde3021888eacf3274a Mon Sep 17 00:00:00 2001
From: David French <56409778+threat-punter@users.noreply.github.com>
Date: Tue, 15 Jun 2021 09:07:51 -0700
Subject: [PATCH] [Rule Tuning] Attempts to Brute Force an Okta User Account
 (#1216)

* update rule.threshold field value

* add rule authors

* bump updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
---
 ...al_access_attempts_to_brute_force_okta_user_account.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
index a63b5e210..4a5bc1124 100644
--- a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
+++ b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/19"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/05/18"
 
 [rule]
-author = ["Elastic"]
+author = ["Elastic", "@BenB196", "Austin Songer"]
 description = """
 Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute
 force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy
@@ -47,6 +47,6 @@ name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
 [rule.threshold]
-field = ["okta.actor.id"]
+field = ["okta.actor.alternate_id"]
 value = 3