Elastic Security Detection Rules

Multiple Device Token Hashes for Single Okta Session

Last updated 13 days ago on 2024-12-09
Created a year ago on 2023-11-08

About

This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.
Tags
Use Case: Identity and Access AuditData Source: OktaTactic: Credential AccessDomain: SaaS
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

Steal Web Session Cookie (T1539)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

okta(opens in a new tab or window)

Query
FROM logs-okta*
| WHERE
    event.dataset == "okta.system"
    // ignore authentication events where session and device token hash change often
    AND NOT event.action IN (
        "policy.evaluate_sign_on",
        "user.session.start",
        "user.authentication.sso"
    )
    // ignore Okta system events and only allow registered users
    AND (
        okta.actor.alternate_id != "system@okta.com"
        AND okta.actor.alternate_id RLIKE "[^@\\s]+\\@[^@\\s]+"
    )
    AND okta.authentication_context.external_session_id != "unknown"
| KEEP event.action, okta.actor.alternate_id, okta.authentication_context.external_session_id, okta.debug_context.debug_data.dt_hash
| STATS
    dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY
        okta.actor.alternate_id,
        okta.authentication_context.external_session_id
| WHERE
    dt_hash_counts >= 2
| SORT
    dt_hash_counts DESC

Install detection rules in Elastic Security

Detect Multiple Device Token Hashes for Single Okta Session in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).