Elastic Security Detection Rules

Multiple Okta User Authentication Events with Same Device Token Hash

Last updated 3 months ago on 2025-09-25
Created 2 years ago on 2024-06-17

About

Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.
Tags
Use Case: Identity and Access AuditData Source: OktaTactic: Credential AccessLanguage: esql
Severity
low
Risk Score
21
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Brute Force (T1110)(external, opens in a new tab or window)

Brute Force (T1110)(external, opens in a new tab or window)

False Positive Examples
Users may share an endpoint related to work or personal use in which separate Okta accounts are used.Shared systems such as Kiosks and conference room computers may be used by multiple users.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

okta(external, opens in a new tab or window)

Query
text code block:
from logs-okta*
| where
    event.dataset == "okta.system" and
    (event.action like "user.authentication.*" or event.action == "user.session.start") and
    okta.debug_context.debug_data.dt_hash != "-" and
    okta.outcome.reason == "INVALID_CREDENTIALS"
| keep
    event.action,
    okta.debug_context.debug_data.dt_hash,
    okta.actor.id,
    okta.actor.alternate_id,
    okta.outcome.reason
| stats
    Esql.okta_actor_id_count_distinct = count_distinct(okta.actor.id)
  by
    okta.debug_context.debug_data.dt_hash,
    okta.actor.alternate_id
| where
    Esql.okta_actor_id_count_distinct > 20
| sort
    Esql.okta_actor_id_count_distinct desc

Install detection rules in Elastic Security

Detect Multiple Okta User Authentication Events with Same Device Token Hash in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).