IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Multiple Okta Sessions Detected for a Single Useredit
Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user’s session cookie and is using it to access the user’s account from a different location.
Rule type: threshold
Rule indices:
- filebeat-*
- logs-okta*
Severity: medium
Risk score: 47
Runs every: 60m
Searches indices from: now-30m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Use Case: Identity and Access Audit
- Data Source: Okta
- Tactic: Lateral Movement
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guideedit
Setupedit
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Rule queryedit
event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:* and not (okta.actor.id: okta* or okta.actor.display_name: okta*)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
-
Sub-technique:
- Name: Web Session Cookie
- ID: T1550.004
- Reference URL: https://attack.mitre.org/techniques/T1550/004/