Okta User Sessions Started from Different Geolocations
Detects when a specific Okta actor has multiple sessions started from different geolocations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/11/18"
3integration = ["okta"]
4maturity = "production"
5min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
6min_stack_version = "8.10.0"
7updated_date = "2023/11/18"
8
9
10[rule]
11author = ["Elastic"]
12description = """
13Detects when a specific Okta actor has multiple sessions started from different geolocations.
14"""
15from = "now-30m"
16interval = "15m"
17index = ["filebeat-*", "logs-okta*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Okta User Sessions Started from Different Geolocations"
21note = """## Setup
22
23The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24references = [
25 "https://developer.okta.com/docs/reference/api/system-log/",
26 "https://developer.okta.com/docs/reference/api/event-types/",
27 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
28 "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
29 "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"
30]
31risk_score = 47
32rule_id = "2e56e1bc-867a-11ee-b13e-f661ea17fbcd"
33severity = "medium"
34tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"]
35timestamp_override = "event.ingested"
36type = "threshold"
37query = '''
38event.dataset:okta.system and okta.event_type:user.session.start and not okta.security_context.is_proxy:true
39 and okta.actor.id:* and client.geo.country_name:*
40'''
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44
45[[rule.threat.technique]]
46id = "T1078"
47name = "Valid Accounts"
48reference = "https://attack.mitre.org/techniques/T1078/"
49
50[[rule.threat.technique.subtechnique]]
51id = "T1078.004"
52name = "Cloud Accounts"
53reference = "https://attack.mitre.org/techniques/T1078/004/"
54
55[rule.threat.tactic]
56id = "TA0001"
57name = "Initial Access"
58reference = "https://attack.mitre.org/tactics/TA0001/"
59
60[rule.threshold]
61field = ["okta.actor.id"]
62value = 1
63
64[[rule.threshold.cardinality]]
65field = "client.geo.country_name"
66value = 2
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
-
-
Testing your Okta visibility and detection with Dorothy and Elastic Security — Elastic Security Labs
Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.
Read More -
Summary Okta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Organization (tenant). When successful, the threat actor demonstrated novel methods of lateral movement and defense evasion. These methods are preventable and present several detection opportunities for defenders. In recent weeks, multiple US-based Okta customers have reported a consistent pattern of so
Read More -
In the ever-evolving world of cybersecurity, staying steps ahead of potential threats is paramount. With identity becoming a key for an organization's security program, we increasingly rely on Identity providers (IdP) like Okta for identity and access management, and for federating access to cloud services, systems, and critical SaaS applications. Therefore, the logs produced by
Read More
Related rules
- Suspicious Activity Reported by Okta User
- Unauthorized Access to an Okta Application
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Attempt to Create Okta API Token