Successful Application SSO from Rare Unknown Client Device
Detects successful single sign-on (SSO) events to Okta applications from an unrecognized or "unknown" client device, as identified by the user-agent string. This activity may be indicative of exploitation of a vulnerability in Okta's Classic Engine, which could allow an attacker to bypass application-specific sign-on policies, such as device or network restrictions. The vulnerability potentially enables unauthorized access to applications using only valid, stolen credentials, without requiring additional authentication factors.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/10/07"
3integration = ["okta"]
4maturity = "production"
5updated_date = "2024/12/09"
6min_stack_version = "8.15.0"
7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects successful single sign-on (SSO) events to Okta applications from an unrecognized or "unknown" client device, as
13identified by the user-agent string. This activity may be indicative of exploitation of a vulnerability in Okta's
14Classic Engine, which could allow an attacker to bypass application-specific sign-on policies, such as device or network
15restrictions. The vulnerability potentially enables unauthorized access to applications using only valid, stolen
16credentials, without requiring additional authentication factors.
17"""
18from = "now-9m"
19index = ["filebeat-*", "logs-okta*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Successful Application SSO from Rare Unknown Client Device"
23references = ["https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/"]
24risk_score = 47
25rule_id = "1502a836-84b2-11ef-b026-f661ea17fbcc"
26severity = "medium"
27tags = [
28 "Domain: SaaS",
29 "Data Source: Okta",
30 "Use Case: Threat Detection",
31 "Use Case: Identity and Access Audit",
32 "Tactic: Initial Access",
33]
34timestamp_override = "event.ingested"
35type = "new_terms"
36
37query = '''
38event.dataset: "okta.system"
39 and event.action: "user.authentication.sso"
40 and event.outcome: "success"
41 and okta.client.device: ("Unknown" or "unknown")
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1078"
49name = "Valid Accounts"
50reference = "https://attack.mitre.org/techniques/T1078/"
51
52
53[rule.threat.tactic]
54id = "TA0001"
55name = "Initial Access"
56reference = "https://attack.mitre.org/tactics/TA0001/"
57
58[rule.new_terms]
59field = "new_terms_fields"
60value = ["client.user.name", "okta.client.user_agent.raw_user_agent"]
61[[rule.new_terms.history_window_start]]
62field = "history_window_start"
63value = "now-14d"
References
-
Description On September 27, 2024, a vulnerability was identified in specific Okta configurations whereby an attacker with valid credentials could bypass configured conditions within application-...
Read More
Related rules
- Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
- First Occurrence of Okta User Session Started via Proxy
- Multiple Device Token Hashes for Single Okta Session
- New Okta Authentication Behavior Detected
- Okta FastPass Phishing Detection