Elastic Security Detection Rules

High Number of Okta Device Token Cookies Generated for Authentication

Last updated 13 days ago on 2024-12-09
Created 6 months ago on 2024-06-17

About

Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.
Tags
Use Case: Identity and Access AuditData Source: OktaTactic: Credential Access
Severity
low
Risk Score
21
MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

Brute Force (T1110)(opens in a new tab or window)

Brute Force (T1110)(opens in a new tab or window)

False Positive Examples
Users may share an endpoint related to work or personal use in which separate Okta accounts are used.Shared systems such as Kiosks and conference room computers may be used by multiple users.
License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

okta(opens in a new tab or window)

Query
FROM logs-okta*
| WHERE
    event.dataset == "okta.system"
    AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start")
    AND okta.debug_context.debug_data.request_uri == "/api/v1/authn"
    AND okta.outcome.reason == "INVALID_CREDENTIALS"
| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.client.ip, okta.actor.alternate_id, okta.debug_context.debug_data.request_uri, okta.outcome.reason
| STATS
    source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)
    BY okta.client.ip, okta.actor.alternate_id
| WHERE
    source_auth_count >= 30
| SORT
    source_auth_count DESC

Install detection rules in Elastic Security

Detect High Number of Okta Device Token Cookies Generated for Authentication in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).