Successful Application SSO from Rare Unknown Client Device

Detects successful single sign-on (SSO) events to Okta applications from an unrecognized or "unknown" client device, as identified by the user-agent string. This activity may be indicative of exploitation of a vulnerability in Okta's Classic Engine, which could allow an attacker to bypass application-specific sign-on policies, such as device or network restrictions. The vulnerability potentially enables unauthorized access to applications using only valid, stolen credentials, without requiring additional authentication factors.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/10/07"
 3integration = ["okta"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6min_stack_version = "8.15.0"
 7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects successful single sign-on (SSO) events to Okta applications from an unrecognized or "unknown" client device, as
13identified by the user-agent string. This activity may be indicative of exploitation of a vulnerability in Okta's
14Classic Engine, which could allow an attacker to bypass application-specific sign-on policies, such as device or network
15restrictions. The vulnerability potentially enables unauthorized access to applications using only valid, stolen
16credentials, without requiring additional authentication factors.
17"""
18from = "now-9m"
19index = ["filebeat-*", "logs-okta*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Successful Application SSO from Rare Unknown Client Device"
23references = ["https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/"]
24risk_score = 47
25rule_id = "1502a836-84b2-11ef-b026-f661ea17fbcc"
26severity = "medium"
27tags = [
28    "Domain: SaaS",
29    "Data Source: Okta",
30    "Use Case: Threat Detection",
31    "Use Case: Identity and Access Audit",
32    "Tactic: Initial Access",
33    "Resources: Investigation Guide",
34]
35timestamp_override = "event.ingested"
36type = "new_terms"
37
38query = '''
39event.dataset: "okta.system"
40    and event.action: "user.authentication.sso"
41    and event.outcome: "success"
42    and okta.client.device: ("Unknown" or "unknown")
43'''
44note = """## Triage and analysis
45
46> **Disclaimer**:
47> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
48
49### Investigating Successful Application SSO from Rare Unknown Client Device
50
51Single sign-on (SSO) streamlines user access across applications by using a single set of credentials. However, adversaries can exploit vulnerabilities in SSO systems, like Okta's, to bypass security policies using stolen credentials. The detection rule identifies unusual SSO events from unknown devices, signaling potential unauthorized access attempts, thus helping to mitigate risks associated with credential theft.
52
53### Possible investigation steps
54
55- Review the event details in the alert to confirm the presence of the "Unknown" or "unknown" client device in the okta.client.device field.
56- Check the user-agent string associated with the event to gather more information about the unknown device and assess if it matches any known legitimate devices used by the user.
57- Investigate the user's recent login history and patterns to identify any anomalies or deviations from their typical behavior, such as unusual login times or locations.
58- Verify if there have been any recent changes to the user's account, such as password resets or modifications to multi-factor authentication settings, which could indicate account compromise.
59- Cross-reference the IP address associated with the SSO event against known malicious IP databases or internal threat intelligence to identify potential threats.
60- Contact the user to confirm whether they recognize the login activity and the device used, ensuring it was an authorized access attempt.
61
62### False positive analysis
63
64- Employees using new or updated devices may trigger false positives. Regularly update the list of recognized devices to include these changes.
65- Legitimate users accessing applications from different locations or networks, such as while traveling, can appear as unknown devices. Implement geolocation checks and allow exceptions for known travel patterns.
66- Software updates or changes in user-agent strings can cause devices to be misidentified. Monitor for consistent patterns and adjust the rule to accommodate these variations.
67- Shared devices in environments like conference rooms or labs may not have unique identifiers. Establish a process to register these shared devices to prevent them from being flagged.
68- Temporary network issues causing devices to appear as unknown can lead to false positives. Correlate with network logs to verify if the device is indeed unknown or if it was a transient issue.
69
70### Response and remediation
71
72- Immediately isolate the affected user account by disabling it to prevent further unauthorized access.
73- Conduct a thorough review of the affected user's recent activity across all Okta-integrated applications to identify any unauthorized actions or data access.
74- Reset the affected user's credentials and enforce a password change, ensuring the new password adheres to strong security policies.
75- Implement multi-factor authentication (MFA) for the affected user account if not already in place, to add an additional layer of security.
76- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
77- Review and update Okta's device recognition policies to improve detection of unknown or rare devices, reducing the risk of similar incidents.
78- Monitor for any further suspicious SSO activities from unknown devices and escalate to the incident response team if additional alerts are triggered."""
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1078"
85name = "Valid Accounts"
86reference = "https://attack.mitre.org/techniques/T1078/"
87
88
89[rule.threat.tactic]
90id = "TA0001"
91name = "Initial Access"
92reference = "https://attack.mitre.org/tactics/TA0001/"
93
94[rule.new_terms]
95field = "new_terms_fields"
96value = ["client.user.name", "okta.client.user_agent.raw_user_agent"]
97[[rule.new_terms.history_window_start]]
98field = "history_window_start"
99value = "now-14d"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Successful Application SSO from Rare Unknown Client Device

Single sign-on (SSO) streamlines user access across applications by using a single set of credentials. However, adversaries can exploit vulnerabilities in SSO systems, like Okta's, to bypass security policies using stolen credentials. The detection rule identifies unusual SSO events from unknown devices, signaling potential unauthorized access attempts, thus helping to mitigate risks associated with credential theft.

Possible investigation steps

  • Review the event details in the alert to confirm the presence of the "Unknown" or "unknown" client device in the okta.client.device field.
  • Check the user-agent string associated with the event to gather more information about the unknown device and assess if it matches any known legitimate devices used by the user.
  • Investigate the user's recent login history and patterns to identify any anomalies or deviations from their typical behavior, such as unusual login times or locations.
  • Verify if there have been any recent changes to the user's account, such as password resets or modifications to multi-factor authentication settings, which could indicate account compromise.
  • Cross-reference the IP address associated with the SSO event against known malicious IP databases or internal threat intelligence to identify potential threats.
  • Contact the user to confirm whether they recognize the login activity and the device used, ensuring it was an authorized access attempt.

False positive analysis

  • Employees using new or updated devices may trigger false positives. Regularly update the list of recognized devices to include these changes.
  • Legitimate users accessing applications from different locations or networks, such as while traveling, can appear as unknown devices. Implement geolocation checks and allow exceptions for known travel patterns.
  • Software updates or changes in user-agent strings can cause devices to be misidentified. Monitor for consistent patterns and adjust the rule to accommodate these variations.
  • Shared devices in environments like conference rooms or labs may not have unique identifiers. Establish a process to register these shared devices to prevent them from being flagged.
  • Temporary network issues causing devices to appear as unknown can lead to false positives. Correlate with network logs to verify if the device is indeed unknown or if it was a transient issue.

Response and remediation

  • Immediately isolate the affected user account by disabling it to prevent further unauthorized access.
  • Conduct a thorough review of the affected user's recent activity across all Okta-integrated applications to identify any unauthorized actions or data access.
  • Reset the affected user's credentials and enforce a password change, ensuring the new password adheres to strong security policies.
  • Implement multi-factor authentication (MFA) for the affected user account if not already in place, to add an additional layer of security.
  • Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
  • Review and update Okta's device recognition policies to improve detection of unknown or rare devices, reducing the risk of similar incidents.
  • Monitor for any further suspicious SSO activities from unknown devices and escalate to the incident response team if additional alerts are triggered.

References

Related rules

to-top