Multiple Okta Sessions Detected for a Single User
Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/11/07"
3integration = ["okta"]
4maturity = "production"
5min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
6min_stack_version = "8.10.0"
7updated_date = "2023/11/07"
8
9
10[rule]
11author = ["Elastic"]
12description = """
13Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.
14"""
15false_positives = [
16 "A user may have multiple sessions open at the same time, such as on a mobile device and a laptop.",
17]
18from = "now-30m"
19interval = "60m"
20index = ["filebeat-*", "logs-okta*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Multiple Okta Sessions Detected for a Single User"
24note = """## Setup
25
26The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = [
28 "https://developer.okta.com/docs/reference/api/system-log/",
29 "https://developer.okta.com/docs/reference/api/event-types/",
30 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
31 "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
32]
33risk_score = 47
34rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd"
35severity = "medium"
36tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement"]
37timestamp_override = "event.ingested"
38type = "threshold"
39query = '''
40event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*
41 and not (okta.actor.id: okta* or okta.actor.display_name: okta*)
42'''
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46
47[[rule.threat.technique]]
48id = "T1550"
49name = "Use Alternate Authentication Material"
50reference = "https://attack.mitre.org/techniques/T1550/"
51
52[[rule.threat.technique.subtechnique]]
53id = "T1550.004"
54name = "Web Session Cookie"
55reference = "https://attack.mitre.org/techniques/T1550/004/"
56
57[rule.threat.tactic]
58id = "TA0008"
59name = "Lateral Movement"
60reference = "https://attack.mitre.org/tactics/TA0008/"
61
62[rule.threshold]
63field = ["okta.actor.id"]
64value = 1
65
66[[rule.threshold.cardinality]]
67field = "okta.authentication_context.external_session_id"
68value = 3
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
-
-
Testing your Okta visibility and detection with Dorothy and Elastic Security — Elastic Security Labs
Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.
Read More -
Summary Okta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Organization (tenant). When successful, the threat actor demonstrated novel methods of lateral movement and defense evasion. These methods are preventable and present several detection opportunities for defenders. In recent weeks, multiple US-based Okta customers have reported a consistent pattern of so
Read More
Related rules
- Multiple Okta Client Addresses for a Single User Session
- Okta Sign-In Events via Third-Party IdP
- New Okta Identity Provider (IdP) Added by Admin
- First Occurrence of Okta User Session Started via Proxy
- New Okta Authentication Behavior Detected