Multiple Okta Sessions Detected for a Single User | Elastic Security Solution [8.11]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

« Okta Sign-In Events via Third-Party IdP New Okta Identity Provider (IdP) Added by Admin »

Multiple Okta Sessions Detected for a Single Useredit

Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user’s session cookie and is using it to access the user’s account from a different location.

Rule type: threshold

Rule indices:

filebeat-*
logs-okta*

Severity: medium

Risk score: 47

Runs every: 60m

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Lateral Movement

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guideedit

Rule queryedit

event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*
    and not (okta.actor.id: okta* or okta.actor.display_name: okta*)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
Sub-technique:
- Name: Web Session Cookie
- ID: T1550.004
- Reference URL: https://attack.mitre.org/techniques/T1550/004/

« Okta Sign-In Events via Third-Party IdP New Okta Identity Provider (IdP) Added by Admin »