Unusual Spike in Concurrent Active Sessions by a User

  1[metadata]
  2creation_date = "2025/02/18"
  3integration = ["pad","okta"]
  4maturity = "production"
  5updated_date = "2025/02/18"
  6min_stack_version = "8.18.0"
  7min_stack_comments = "New PAD integration only available starting at 8.18.0."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has detected an unusually high number of active concurrent sessions initiated by a user, indicating potential privileged access activity.
 14A sudden surge in concurrent active sessions by a user may indicate an attempt to abuse valid credentials for privilege escalation or maintain persistence.
 15Adversaries might be leveraging multiple sessions to execute privileged operations, evade detection, or perform unauthorized actions across different systems.
 16"""
 17from = "now-3h"
 18interval = "15m"
 19license = "Elastic License v2"
 20machine_learning_job_id = "pad_okta_high_sum_concurrent_sessions_by_user"
 21name = "Unusual Spike in Concurrent Active Sessions by a User"
 22references = [
 23    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 24    "https://docs.elastic.co/en/integrations/pad"
 25]
 26risk_score = 21
 27rule_id = "a300dea6-e228-40e1-9123-a339e207378b"
 28setup = """## Setup
 29
 30The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
 31
 32### Privileged Access Detection Setup
 33The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
 34
 35#### Prerequisite Requirements:
 36- Fleet is required for Privileged Access Detection.
 37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 38- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
 39- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 40
 41#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Privileged Access Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Privilege Escalation",
 53    "Resources: Investigation Guide"
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Unusual Spike in Concurrent Active Sessions by a User
 62
 63The detection of unusual spikes in concurrent active sessions leverages machine learning to identify anomalies in user behavior, particularly those suggesting privilege misuse. Adversaries may exploit valid credentials to initiate multiple sessions, aiming to escalate privileges or evade detection. This rule identifies such anomalies, flagging potential unauthorized access or privilege escalation attempts.
 64
 65### Possible investigation steps
 66
 67- Review the user's recent activity logs to identify any unusual patterns or deviations from their typical behavior, focusing on the timestamps and systems accessed during the spike in concurrent sessions.
 68- Check for any recent changes in the user's access privileges or roles that might explain the increase in session activity, ensuring that these changes were authorized and documented.
 69- Investigate the source IP addresses and geolocations associated with the concurrent sessions to determine if they align with the user's known locations or if they suggest potential unauthorized access.
 70- Analyze the specific actions performed during the concurrent sessions to identify any attempts at privilege escalation or unauthorized access to sensitive systems or data.
 71- Correlate the user's session activity with any other security alerts or incidents to assess if this behavior is part of a larger pattern of suspicious activity.
 72
 73### False positive analysis
 74
 75- High-volume legitimate activities such as system updates or batch processing can trigger false positives. Exclude these activities by identifying and whitelisting known processes or users involved in such operations.
 76- Users with roles that require multiple concurrent sessions, like system administrators or developers, may naturally exhibit this behavior. Create exceptions for these roles by defining baseline session patterns and adjusting thresholds accordingly.
 77- Automated scripts or tools that require multiple logins for monitoring or maintenance tasks can be mistaken for suspicious activity. Document and exclude these scripts by associating them with specific user accounts or service accounts.
 78- Temporary spikes due to legitimate business needs, such as end-of-quarter financial processing, can be misinterpreted. Implement a process to temporarily adjust detection parameters during known high-activity periods.
 79- Shared accounts used by multiple team members can lead to an increase in concurrent sessions. Encourage the use of individual accounts and implement monitoring to differentiate between shared and individual account activities.
 80
 81### Response and remediation
 82
 83- Immediately isolate the user account showing unusual concurrent session activity to prevent further unauthorized access or privilege escalation.
 84- Conduct a thorough review of the affected systems and sessions to identify any unauthorized changes or actions performed during the spike in activity.
 85- Reset the credentials of the compromised user account and enforce a password change policy to ensure the account is secured.
 86- Analyze logs and session data to determine the source of the unauthorized access, identifying any potential entry points or vulnerabilities exploited.
 87- Escalate the incident to the security operations team for further investigation and to assess the need for additional security measures or incident response actions.
 88- Implement additional monitoring on the affected systems and user accounts to detect any further suspicious activity or attempts to regain access.
 89- Review and update access controls and permissions to ensure that only authorized users have the necessary privileges, reducing the risk of future privilege escalation attempts."""
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1068"
 94name = "Exploitation for Privilege Escalation"
 95reference = "https://attack.mitre.org/techniques/T1068/"
 96
 97[[rule.threat.technique]]
 98id = "T1078"
 99name = "Valid Accounts"
100reference = "https://attack.mitre.org/techniques/T1078/"
101
102[rule.threat.tactic]
103id = "TA0004"
104name = "Privilege Escalation"
105reference = "https://attack.mitre.org/tactics/TA0004/"```