Multiple Okta Sessions Detected for a Single User

calendar Dec 19, 2024 · Use Case: Identity and Access Audit Data Source: Okta Tactic: Lateral Movement  ·
Share on: linkedin copy

Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/11/07"
 3integration = ["okta"]
 4maturity = "production"
 5updated_date = "2024/12/19"
 6min_stack_version = "8.15.0"
 7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may
13indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a
14different location.
15"""
16false_positives = ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."]
17from = "now-35m"
18index = ["filebeat-*", "logs-okta*"]
19interval = "30m"
20language = "kuery"
21license = "Elastic License v2"
22name = "Multiple Okta Sessions Detected for a Single User"
23note = """## Setup
24
25The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
26references = [
27    "https://developer.okta.com/docs/reference/api/system-log/",
28    "https://developer.okta.com/docs/reference/api/event-types/",
29    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
30    "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
31    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
32    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
33]
34risk_score = 47
35rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd"
36severity = "medium"
37tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement"]
38timestamp_override = "event.ingested"
39type = "threshold"
40
41query = '''
42event.dataset:okta.system
43    and okta.event_type:user.session.start
44    and okta.authentication_context.external_session_id:*
45    and not (okta.actor.id: okta* or okta.actor.display_name: okta*)
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1550"
53name = "Use Alternate Authentication Material"
54reference = "https://attack.mitre.org/techniques/T1550/"
55[[rule.threat.technique.subtechnique]]
56id = "T1550.004"
57name = "Web Session Cookie"
58reference = "https://attack.mitre.org/techniques/T1550/004/"
59
60
61
62[rule.threat.tactic]
63id = "TA0008"
64name = "Lateral Movement"
65reference = "https://attack.mitre.org/tactics/TA0008/"
66
67[rule.threshold]
68field = ["okta.actor.id"]
69value = 1
70[[rule.threshold.cardinality]]
71field = "okta.authentication_context.external_session_id"
72value = 3

Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top