Multiple Okta Sessions Detected for a Single User

Last updated 3 days ago on 2024-12-19

Created a year ago on 2023-11-07

About

Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.

Tags

Use Case: Identity and Access AuditData Source: OktaTactic: Lateral Movement

Severity

medium

Risk Score

MITRE ATT&CK™

Lateral Movement (TA0008)(opens in a new tab or window)

↳ Use Alternate Authentication Material (T1550)(opens in a new tab or window)

False Positive Examples

A user may have multiple sessions open at the same time, such as on a mobile device and a laptop.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Threshold Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-okta*
Related Integrations: okta(opens in a new tab or window)
Query

event.dataset:okta.system
    and okta.event_type:user.session.start
    and okta.authentication_context.external_session_id:*
    and not (okta.actor.id: okta* or okta.actor.display_name: okta*)

Install detection rules in Elastic Security

Detect Multiple Okta Sessions Detected for a Single User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).