Elastic Security Detection Rules

High Number of Okta Device Token Cookies Generated for Authentication

Last updated 3 months ago on 2025-09-25
Created 2 years ago on 2024-06-17

About

Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.
Tags
Use Case: Identity and Access AuditData Source: OktaTactic: Credential AccessLanguage: esql
Severity
low
Risk Score
21
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Brute Force (T1110)(external, opens in a new tab or window)

Brute Force (T1110)(external, opens in a new tab or window)

False Positive Examples
Users may share an endpoint related to work or personal use in which separate Okta accounts are used.Shared systems such as Kiosks and conference room computers may be used by multiple users.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

okta(external, opens in a new tab or window)

Query
text code block:
from logs-okta*
| where
    event.dataset == "okta.system" and
    (event.action like "user.authentication.*" or event.action == "user.session.start") and
    okta.debug_context.debug_data.request_uri == "/api/v1/authn" and
    okta.outcome.reason == "INVALID_CREDENTIALS"
| keep
    event.action,
    okta.debug_context.debug_data.dt_hash,
    okta.client.ip,
    okta.actor.alternate_id,
    okta.debug_context.debug_data.request_uri,
    okta.outcome.reason
| stats
    Esql.okta_debug_context_debug_data_dt_hash_count_distinct = count_distinct(okta.debug_context.debug_data.dt_hash)
  by
    okta.client.ip,
    okta.actor.alternate_id
| where
    Esql.okta_debug_context_debug_data_dt_hash_count_distinct >= 30
| sort
    Esql.okta_debug_context_debug_data_dt_hash_count_distinct desc

Install detection rules in Elastic Security

Detect High Number of Okta Device Token Cookies Generated for Authentication in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).