Elastic Security Detection Rules

Okta User Sessions Started from Different Geolocations

Last updated 23 days ago on 2025-07-10
Created 2 years ago on 2023-11-18

About

Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.
Tags
Use Case: Identity and Access AuditData Source: OktaTactic: Initial AccessLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

Valid Accounts (T1078)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

okta(opens in a new tab or window)

Query
FROM logs-okta*
| WHERE
    event.dataset == "okta.system"
    AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start")
    AND okta.security_context.is_proxy != true and okta.actor.id != "unknown"
    AND event.outcome == "success"
| KEEP event.action, okta.security_context.is_proxy, okta.actor.id, event.outcome, client.geo.country_name, okta.actor.alternate_id
| STATS
    geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)
    BY okta.actor.id, okta.actor.alternate_id
| WHERE
    geo_auth_counts >= 2

Install detection rules in Elastic Security

Detect Okta User Sessions Started from Different Geolocations in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).