Multiple Okta Sessions Detected for a Single User | Elastic Security Solution [8.13]

› › ›

« Multiple Okta Client Addresses for a Single User Session Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy »

Multiple Okta Sessions Detected for a Single Useredit

Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user’s session cookie and is using it to access the user’s account from a different location.

Rule type: threshold

Rule indices:

filebeat-*
logs-okta*

Severity: medium

Risk score: 47

Runs every: 60m

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Lateral Movement

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guideedit

Setupedit

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule queryedit

event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*
    and not (okta.actor.id: okta* or okta.actor.display_name: okta*)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
Sub-technique:
- Name: Web Session Cookie
- ID: T1550.004
- Reference URL: https://attack.mitre.org/techniques/T1550/004/

« Multiple Okta Client Addresses for a Single User Session Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy »