Multiple Device Token Hashes for Single Okta Session
This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/11/08"
3integration = ["okta"]
4maturity = "production"
5min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview."
6min_stack_version = "8.13.0"
7updated_date = "2024/10/09"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may
13indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a
14session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.
15"""
16from = "now-9m"
17language = "esql"
18license = "Elastic License v2"
19name = "Multiple Device Token Hashes for Single Okta Session"
20note = """
21## Triage and analysis
22
23### Investigating Multiple Device Token Hashes for Single Okta Session
24
25This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.
26
27#### Possible investigation steps:
28- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.
29- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
30- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
31- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.
32 - Historical analysis should indicate if this device token hash is commonly associated with the user.
33- Review the `okta.event_type` field to determine the type of authentication event that occurred.
34 - Authentication events have been filtered out to focus on Okta activity via established sessions.
35- Review the past activities of the actor(s) involved in this action by checking their previous actions.
36- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.
37 - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.
38- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action.
39 - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily.
40
41### False positive analysis:
42- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established.
43
44### Response and remediation:
45- Consider stopping all sessions for the user(s) involved in this action.
46- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA).
47 - If MFA is already enabled, consider resetting MFA for the users.
48- If any of the users are not legitimate, consider deactivating the user's account.
49- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
50- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.
51 - If so, confirm with the user this was a legitimate request.
52 - If so and this was not a legitimate request, consider deactivating the user's account temporarily.
53 - Reset passwords and reset MFA for the user.
54- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.
55 - This should be done with caution as it may prevent legitimate alerts from being generated.
56"""
57references = [
58 "https://developer.okta.com/docs/reference/api/system-log/",
59 "https://developer.okta.com/docs/reference/api/event-types/",
60 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
61 "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
62 "https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US",
63 "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
64 "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
65]
66risk_score = 47
67rule_id = "cc382a2e-7e52-11ee-9aac-f661ea17fbcd"
68setup = """## Setup
69
70The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
71severity = "medium"
72tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access", "Domain: SaaS"]
73timestamp_override = "event.ingested"
74type = "esql"
75
76query = '''
77FROM logs-okta*
78| WHERE
79 event.dataset == "okta.system"
80 // ignore authentication events where session and device token hash change often
81 AND NOT event.action IN (
82 "policy.evaluate_sign_on",
83 "user.session.start",
84 "user.authentication.sso"
85 )
86 // ignore Okta system events and only allow registered users
87 AND (
88 okta.actor.alternate_id != "system@okta.com"
89 AND okta.actor.alternate_id RLIKE "[^@\\s]+\\@[^@\\s]+"
90 )
91 AND okta.authentication_context.external_session_id != "unknown"
92| KEEP event.action, okta.actor.alternate_id, okta.authentication_context.external_session_id, okta.debug_context.debug_data.dt_hash
93| STATS
94 dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY
95 okta.actor.alternate_id,
96 okta.authentication_context.external_session_id
97| WHERE
98 dt_hash_counts >= 2
99| SORT
100 dt_hash_counts DESC
101'''
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1539"
108name = "Steal Web Session Cookie"
109reference = "https://attack.mitre.org/techniques/T1539/"
110
111
112[rule.threat.tactic]
113id = "TA0006"
114name = "Credential Access"
115reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Investigating Multiple Device Token Hashes for Single Okta Session
This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.
Possible investigation steps:
- Since this is an ES|QL rule, the
okta.actor.alternate_id
andokta.authentication_context.external_session_id
values can be used to pivot into the raw authentication events related to this alert. - Identify the users involved in this action by examining the
okta.actor.id
,okta.actor.type
,okta.actor.alternate_id
, andokta.actor.display_name
fields. - Determine the device client used for these actions by analyzing
okta.client.ip
,okta.client.user_agent.raw_user_agent
,okta.client.zone
,okta.client.device
, andokta.client.id
fields. - With Okta end users identified, review the
okta.debug_context.debug_data.dt_hash
field.- Historical analysis should indicate if this device token hash is commonly associated with the user.
- Review the
okta.event_type
field to determine the type of authentication event that occurred.- Authentication events have been filtered out to focus on Okta activity via established sessions.
- Review the past activities of the actor(s) involved in this action by checking their previous actions.
- Evaluate the actions that happened just before and after this event in the
okta.event_type
field to help understand the full context of the activity.- This may help determine the authentication and authorization actions that occurred between the user, Okta and application.
- Aggregate by
okta.actor.alternate_id
andevent.action
to determine the type of actions that are being performed by the actor(s) involved in this action.- If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily.
False positive analysis:
- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established.
Response and remediation:
- Consider stopping all sessions for the user(s) involved in this action.
- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA).
- If MFA is already enabled, consider resetting MFA for the users.
- If any of the users are not legitimate, consider deactivating the user's account.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.
- If so, confirm with the user this was a legitimate request.
- If so and this was not a legitimate request, consider deactivating the user's account temporarily.
- Reset passwords and reset MFA for the user.
- Alternatively adding
okta.client.ip
or a CIDR range to theexceptions
list can prevent future occurrences of this event from triggering the rule.- This should be done with caution as it may prevent legitimate alerts from being generated.
References
Related rules
- Attempts to Brute Force a Microsoft 365 User Account
- Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
- Azure Entra Sign-in Brute Force against Microsoft 365 Accounts
- High Number of Okta Device Token Cookies Generated for Authentication
- Multiple Okta User Authentication Events with Client Address