Multiple Device Token Hashes for Single Okta Session

Last updated 5 days ago on 2024-09-23

Created a year ago on 2023-11-08

About

This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.

Tags

Use Case: Identity and Access AuditData Source: OktaTactic: Credential AccessDomain: SaaS

Severity

medium

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

↳ Steal Web Session Cookie (T1539)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: okta(opens in a new tab or window)
Query

FROM logs-okta*
| WHERE
    event.dataset == "okta.system"
    // ignore authentication events where session and device token hash change often
    AND NOT event.action IN (
        "policy.evaluate_sign_on",
        "user.session.start",
        "user.authentication.sso"
    )
    // ignore Okta system events and only allow registered users
    AND (
        okta.actor.alternate_id != "system@okta.com"
        AND okta.actor.alternate_id RLIKE "[^@\\s]+\\@[^@\\s]+"
    )
    AND okta.authentication_context.external_session_id != "unknown"
| STATS
    dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY
        okta.actor.alternate_id,
        okta.authentication_context.external_session_id
| WHERE
    dt_hash_counts >= 2
| SORT
    dt_hash_counts DESC

Install detection rules in Elastic Security

Detect Multiple Device Token Hashes for Single Okta Session in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).