Successful Application SSO from Rare Unknown Client Device
Detects successful single sign-on (SSO) events to Okta applications from an unrecognized or "unknown" client device, as identified by the user-agent string. This activity may be indicative of exploitation of a vulnerability in Okta's Classic Engine, which could allow an attacker to bypass application-specific sign-on policies, such as device or network restrictions. The vulnerability potentially enables unauthorized access to applications using only valid, stolen credentials, without requiring additional authentication factors.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/10/07"
3integration = ["okta"]
4maturity = "production"
5updated_date = "2024/10/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects successful single sign-on (SSO) events to Okta applications from an unrecognized or "unknown" client device, as
11identified by the user-agent string. This activity may be indicative of exploitation of a vulnerability in Okta's
12Classic Engine, which could allow an attacker to bypass application-specific sign-on policies, such as device or network
13restrictions. The vulnerability potentially enables unauthorized access to applications using only valid, stolen
14credentials, without requiring additional authentication factors.
15"""
16from = "now-9m"
17index = ["filebeat-*", "logs-okta*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Successful Application SSO from Rare Unknown Client Device"
21references = ["https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/"]
22risk_score = 47
23rule_id = "1502a836-84b2-11ef-b026-f661ea17fbcc"
24severity = "medium"
25tags = [
26 "Domain: SaaS",
27 "Data Source: Okta",
28 "Use Case: Threat Detection",
29 "Use Case: Identity and Access Audit",
30 "Tactic: Initial Access",
31]
32timestamp_override = "event.ingested"
33type = "new_terms"
34
35query = '''
36event.dataset: "okta.system"
37 and event.action: "user.authentication.sso"
38 and event.outcome: "success"
39 and okta.client.device: ("Unknown" or "unknown")
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1078"
47name = "Valid Accounts"
48reference = "https://attack.mitre.org/techniques/T1078/"
49
50
51[rule.threat.tactic]
52id = "TA0001"
53name = "Initial Access"
54reference = "https://attack.mitre.org/tactics/TA0001/"
55
56[rule.new_terms]
57field = "new_terms_fields"
58value = ["client.user.name", "okta.client.user_agent.raw_user_agent"]
59[[rule.new_terms.history_window_start]]
60field = "history_window_start"
61value = "now-14d"
References
Related rules
- Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
- First Occurrence of Okta User Session Started via Proxy
- New Okta Authentication Behavior Detected
- Okta FastPass Phishing Detection
- Okta Sign-In Events via Third-Party IdP