text code block:| tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason FROM datamodel=Authentication WHERE Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action="failure" BY _time Authentication.src Authentication.user Authentication.dest | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | `okta_unauthorized_access_to_application_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).