Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/11/10"
3integration = ["okta"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a
11proxy.
12"""
13false_positives = [
14 "An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.",
15 "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.",
16 "Shared systems such as Kiosks and conference room computers may be used by multiple users.",
17]
18from = "now-9m"
19index = ["filebeat-*", "logs-okta*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy"
23note = """## Triage and analysis
24
25### Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
26
27This rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.
28
29#### Possible investigation steps:
30- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
31- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
32 - Since the device is behind a proxy, the `okta.client.ip` field will not be useful for determining the actual device IP address.
33- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.
34- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.
35 - Historical analysis should indicate if this device token hash is commonly associated with the user.
36- Review the `okta.event_type` field to determine the type of authentication event that occurred.
37 - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.
38 - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.
39- Examine the `okta.outcome.result` field to determine if the authentication was successful.
40- Review the past activities of the actor(s) involved in this action by checking their previous actions.
41- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.
42 - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.
43
44### False positive analysis:
45- A user may have legitimately started a session via a proxy for security or privacy reasons.
46- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.
47 - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.
48 - Shared systems such as Kiosks and conference room computers may be used by multiple users.
49 - Shared working spaces may have a single endpoint that is used by multiple users.
50
51### Response and remediation:
52- Review the profile of the users involved in this action to determine if proxy usage may be expected.
53- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.
54- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).
55 - If MFA is already enabled, consider resetting MFA for the users.
56- If any of the users are not legitimate, consider deactivating the user's account.
57- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
58- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.
59 - If so, confirm with the user this was a legitimate request.
60 - If so and this was not a legitimate request, consider deactivating the user's account temporarily.
61 - Reset passwords and reset MFA for the user.
62- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.
63 - This will prevent future occurrences of this event for this device from triggering the rule.
64"""
65references = [
66 "https://developer.okta.com/docs/reference/api/system-log/",
67 "https://developer.okta.com/docs/reference/api/event-types/",
68 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
69 "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
70 "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
71 "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
72]
73risk_score = 47
74rule_id = "50887ba8-7ff7-11ee-a038-f661ea17fbcd"
75setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."
76severity = "medium"
77tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"]
78timestamp_override = "event.ingested"
79type = "threshold"
80
81query = '''
82event.dataset:okta.system
83 and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*
84 and okta.event_type:user.authentication* and okta.security_context.is_proxy:true
85'''
86
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[[rule.threat.technique]]
91id = "T1110"
92name = "Brute Force"
93reference = "https://attack.mitre.org/techniques/T1110/"
94[[rule.threat.technique.subtechnique]]
95id = "T1110.003"
96name = "Password Spraying"
97reference = "https://attack.mitre.org/techniques/T1110/003/"
98
99
100[[rule.threat.technique]]
101id = "T1110"
102name = "Brute Force"
103reference = "https://attack.mitre.org/techniques/T1110/"
104[[rule.threat.technique.subtechnique]]
105id = "T1110.004"
106name = "Credential Stuffing"
107reference = "https://attack.mitre.org/techniques/T1110/004/"
108
109
110
111[rule.threat.tactic]
112id = "TA0006"
113name = "Credential Access"
114reference = "https://attack.mitre.org/tactics/TA0006/"
115
116[rule.threshold]
117field = ["okta.debug_context.debug_data.dt_hash"]
118value = 1
119[[rule.threshold.cardinality]]
120field = "okta.actor.id"
121value = 3
Triage and analysis
Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
This rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.
Possible investigation steps:
- Identify the users involved in this action by examining the
okta.actor.id
,okta.actor.type
,okta.actor.alternate_id
, andokta.actor.display_name
fields. - Determine the device client used for these actions by analyzing
okta.client.ip
,okta.client.user_agent.raw_user_agent
,okta.client.zone
,okta.client.device
, andokta.client.id
fields.- Since the device is behind a proxy, the
okta.client.ip
field will not be useful for determining the actual device IP address.
- Since the device is behind a proxy, the
- Review the
okta.request.ip_chain
field for more information about the geographic location of the proxy. - With Okta end users identified, review the
okta.debug_context.debug_data.dt_hash
field.- Historical analysis should indicate if this device token hash is commonly associated with the user.
- Review the
okta.event_type
field to determine the type of authentication event that occurred.- If the event type is
user.authentication.sso
, the user may have legitimately started a session via a proxy for security or privacy reasons. - If the event type is
user.authentication.password
, the user may be using a proxy to access multiple accounts for password spraying.
- If the event type is
- Examine the
okta.outcome.result
field to determine if the authentication was successful. - Review the past activities of the actor(s) involved in this action by checking their previous actions.
- Evaluate the actions that happened just before and after this event in the
okta.event_type
field to help understand the full context of the activity.- This may help determine the authentication and authorization actions that occurred between the user, Okta and application.
False positive analysis:
- A user may have legitimately started a session via a proxy for security or privacy reasons.
- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.
- Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.
- Shared systems such as Kiosks and conference room computers may be used by multiple users.
- Shared working spaces may have a single endpoint that is used by multiple users.
Response and remediation:
- Review the profile of the users involved in this action to determine if proxy usage may be expected.
- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.
- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).
- If MFA is already enabled, consider resetting MFA for the users.
- If any of the users are not legitimate, consider deactivating the user's account.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.
- If so, confirm with the user this was a legitimate request.
- If so and this was not a legitimate request, consider deactivating the user's account temporarily.
- Reset passwords and reset MFA for the user.
- If this is a false positive, consider adding the
okta.debug_context.debug_data.dt_hash
field to theexceptions
list in the rule.- This will prevent future occurrences of this event for this device from triggering the rule.
References
Related rules
- Attempted Bypass of Okta MFA
- Attempts to Brute Force an Okta User Account
- Okta Brute Force or Password Spraying Attack
- Okta User Session Impersonation
- Potential Okta MFA Bombing via Push Notifications