Okta User Sessions Started from Different Geolocations
Detects when a specific Okta actor has multiple sessions started from different geolocations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/11/18"
3integration = ["okta"]
4maturity = "production"
5min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
6min_stack_version = "8.10.0"
7updated_date = "2023/11/18"
8
9
10[rule]
11author = ["Elastic"]
12description = """
13Detects when a specific Okta actor has multiple sessions started from different geolocations.
14"""
15from = "now-30m"
16interval = "15m"
17index = ["filebeat-*", "logs-okta*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Okta User Sessions Started from Different Geolocations"
21note = """## Setup
22
23The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24references = [
25 "https://developer.okta.com/docs/reference/api/system-log/",
26 "https://developer.okta.com/docs/reference/api/event-types/",
27 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
28 "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
29 "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"
30]
31risk_score = 47
32rule_id = "2e56e1bc-867a-11ee-b13e-f661ea17fbcd"
33severity = "medium"
34tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"]
35timestamp_override = "event.ingested"
36type = "threshold"
37query = '''
38event.dataset:okta.system and okta.event_type:user.session.start and not okta.security_context.is_proxy:true
39 and okta.actor.id:* and client.geo.country_name:*
40'''
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44
45[[rule.threat.technique]]
46id = "T1078"
47name = "Valid Accounts"
48reference = "https://attack.mitre.org/techniques/T1078/"
49
50[[rule.threat.technique.subtechnique]]
51id = "T1078.004"
52name = "Cloud Accounts"
53reference = "https://attack.mitre.org/techniques/T1078/004/"
54
55[rule.threat.tactic]
56id = "TA0001"
57name = "Initial Access"
58reference = "https://attack.mitre.org/tactics/TA0001/"
59
60[rule.threshold]
61field = ["okta.actor.id"]
62value = 1
63
64[[rule.threshold.cardinality]]
65field = "client.geo.country_name"
66value = 2
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Suspicious Activity Reported by Okta User
- Unauthorized Access to an Okta Application
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Attempt to Create Okta API Token