Multiple Okta Sessions Detected for a Single User

  1[metadata]
  2creation_date = "2023/11/07"
  3integration = ["okta"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.15.0"
  7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may
 13indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a
 14different location.
 15"""
 16false_positives = ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."]
 17from = "now-35m"
 18index = ["filebeat-*", "logs-okta*"]
 19interval = "30m"
 20language = "kuery"
 21license = "Elastic License v2"
 22name = "Multiple Okta Sessions Detected for a Single User"
 23note = """## Triage and analysis
 24
 25> **Disclaimer**:
 26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 27
 28### Investigating Multiple Okta Sessions Detected for a Single User
 29
 30Okta is a widely used identity management service that facilitates secure user authentication and access control. Adversaries may exploit Okta by hijacking session cookies, allowing unauthorized access to user accounts from different locations. The detection rule identifies anomalies by flagging multiple session initiations with distinct session IDs for the same user, excluding legitimate Okta system actors, thus highlighting potential unauthorized access attempts.
 31
 32### Possible investigation steps
 33
 34- Review the Okta logs to identify the specific user account associated with the multiple session initiations and note the distinct session IDs.
 35- Check the geographic locations and IP addresses associated with each session initiation to determine if there are any unusual or unexpected locations.
 36- Investigate the timestamps of the session initiations to see if they align with the user's typical login patterns or if they suggest simultaneous logins from different locations.
 37- Examine the okta.actor.id and okta.actor.display_name fields to ensure that the sessions were not initiated by legitimate Okta system actors.
 38- Contact the user to verify if they recognize the session activity and if they have recently logged in from multiple devices or locations.
 39- Assess if there are any other related security alerts or incidents involving the same user account that could indicate a broader compromise.
 40
 41### False positive analysis
 42
 43- Legitimate multiple device usage: Users may legitimately access their accounts from multiple devices, leading to multiple session initiations. To handle this, create exceptions for users who frequently use multiple devices for work.
 44- Frequent travel or remote work: Users who travel often or work remotely may trigger this rule due to accessing Okta from various locations. Consider setting up location-based exceptions for these users.
 45- Shared accounts: In environments where account sharing is common, multiple sessions may be expected. Implement policies to discourage account sharing or create exceptions for known shared accounts.
 46- Automated scripts or integrations: Some users may have automated processes that initiate multiple sessions. Identify these scripts and exclude them from the rule by their specific session patterns.
 47- Testing and development environments: Users involved in testing or development may generate multiple sessions as part of their work. Exclude these environments from the rule to prevent false positives.
 48
 49### Response and remediation
 50
 51- Immediately terminate all active sessions for the affected user account to prevent further unauthorized access.
 52- Reset the user's password and invalidate any existing session cookies to ensure that any stolen session cookies are rendered useless.
 53- Conduct a thorough review of recent login activity and session logs for the affected user to identify any suspicious or unauthorized access patterns.
 54- Notify the user of the potential compromise and advise them to verify any recent account activity for unauthorized actions.
 55- Escalate the incident to the security operations team for further investigation and to determine if additional accounts or systems may be affected.
 56- Implement multi-factor authentication (MFA) for the affected user account if not already in place, to add an additional layer of security against unauthorized access.
 57- Update and enhance monitoring rules to detect similar anomalies in the future, focusing on unusual session patterns and access from unexpected locations.
 58
 59## Setup
 60
 61The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 62references = [
 63    "https://developer.okta.com/docs/reference/api/system-log/",
 64    "https://developer.okta.com/docs/reference/api/event-types/",
 65    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
 66    "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
 67    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
 68    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
 69]
 70risk_score = 47
 71rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd"
 72severity = "medium"
 73tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement", "Resources: Investigation Guide"]
 74timestamp_override = "event.ingested"
 75type = "threshold"
 76
 77query = '''
 78event.dataset:okta.system
 79    and okta.event_type:user.session.start
 80    and okta.authentication_context.external_session_id:*
 81    and not (okta.actor.id: okta* or okta.actor.display_name: okta*)
 82'''
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1550"
 89name = "Use Alternate Authentication Material"
 90reference = "https://attack.mitre.org/techniques/T1550/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1550.004"
 93name = "Web Session Cookie"
 94reference = "https://attack.mitre.org/techniques/T1550/004/"
 95
 96
 97
 98[rule.threat.tactic]
 99id = "TA0008"
100name = "Lateral Movement"
101reference = "https://attack.mitre.org/tactics/TA0008/"
102
103[rule.threshold]
104field = ["okta.actor.id"]
105value = 1
106[[rule.threshold.cardinality]]
107field = "okta.authentication_context.external_session_id"
108value = 3