Elastic Security Detection Rules

Multiple Device Token Hashes for Single Okta Session

Last updated 3 months ago on 2025-09-25
Created 2 years ago on 2023-11-08

About

This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.
Tags
Use Case: Identity and Access AuditData Source: OktaTactic: Credential AccessDomain: SaaSLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Steal Web Session Cookie (T1539)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

okta(external, opens in a new tab or window)

Query
text code block:
from logs-okta*
| where
    event.dataset == "okta.system" and
    not event.action in (
        "policy.evaluate_sign_on",
        "user.session.start",
        "user.authentication.sso"
    ) and
    okta.actor.alternate_id != "system@okta.com" and
    okta.actor.alternate_id rlike "[^@\\s]+\\@[^@\\s]+" and
    okta.authentication_context.external_session_id != "unknown"
| keep
    event.action,
    okta.actor.alternate_id,
    okta.authentication_context.external_session_id,
    okta.debug_context.debug_data.dt_hash
| stats
    Esql.okta_debug_context_debug_data_dt_hash_count_distinct = count_distinct(okta.debug_context.debug_data.dt_hash)
  by
    okta.actor.alternate_id,
    okta.authentication_context.external_session_id
| where
    Esql.okta_debug_context_debug_data_dt_hash_count_distinct >= 2
| sort
    Esql.okta_debug_context_debug_data_dt_hash_count_distinct desc

Install detection rules in Elastic Security

Detect Multiple Device Token Hashes for Single Okta Session in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).