Multiple Device Token Hashes for Single Okta Session

Last updated a month ago on 2026-04-13

Created 3 years ago on 2023-11-08

About

This rule detects when a specific Okta actor has multiple device token hashes and multiple source IPs for a single Okta session. This may indicate an authenticated session has been hijacked or replayed from a different device and network. Adversaries may steal session cookies or tokens to gain unauthorized access to Okta admin console, applications, tenants, or other resources.

Tags

Domain: IdentityDomain: SaaSData Source: OktaData Source: Okta System LogsTactic: Credential AccessLanguage: esql

Severity

medium

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

↳ Steal Web Session Cookie (T1539)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Use Alternate Authentication Material (T1550)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: okta(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗from logs-okta.system-*
| where
    data_stream.dataset == "okta.system" and
    not event.action in (
        "policy.evaluate_sign_on",
        "user.session.start",
        "user.authentication.sso"
    ) and
    okta.actor.alternate_id != "system@okta.com" and
    okta.actor.alternate_id rlike "[^@\\s]+\\@[^@\\s]+" and
    okta.authentication_context.external_session_id != "unknown" and
    (
        okta.authentication_context.external_session_id IS NOT NULL and
        okta.debug_context.debug_data.dt_hash IS NOT NULL and
        okta.client.ip IS NOT NULL and
        okta.client.user_agent.raw_user_agent IS NOT NULL
    ) and
    (
        okta.authentication_context.external_session_id != "-" and
        okta.debug_context.debug_data.dt_hash != "-" and
        okta.client.user_agent.raw_user_agent != "-"
    )
| stats
    Esql.dt_hash_count_distinct = count_distinct(okta.debug_context.debug_data.dt_hash),
    Esql.client_ip_count_distinct = count_distinct(okta.client.ip),
    Esql.event_count = count(*),
    Esql.first_event_time = min(@timestamp),
    Esql.last_event_time = max(@timestamp),
    Esql.dt_hash_values = values(okta.debug_context.debug_data.dt_hash),
    Esql.event_action_values = values(event.action),
    Esql.client_ip_values = values(okta.client.ip),
    Esql.user_agent_values = values(okta.client.user_agent.raw_user_agent),
    Esql.device_values = values(okta.client.device),
    Esql.is_proxy_values = values(okta.security_context.is_proxy),
    Esql.geo_country_name_values = values(client.geo.country_name),
    Esql.geo_city_name_values = values(client.geo.city_name),
    Esql.source_asn_number_values = values(source.`as`.number),
    Esql.source_asn_org_name_values = values(source.`as`.organization.name),
    Esql.threat_suspected_values = values(okta.debug_context.debug_data.threat_suspected),
    Esql.risk_level_values = values(okta.debug_context.debug_data.risk_level),
    Esql.risk_reasons_values = values(okta.debug_context.debug_data.risk_reasons),
    Esql.behaviors_values = values(okta.debug_context.debug_data.behaviors),
    Esql.device_fingerprint_values = values(okta.debug_context.debug_data.device_fingerprint),
    Esql.risk_behaviors_values = values(okta.debug_context.debug_data.risk_behaviors),
    Esql.request_uri_values = values(okta.debug_context.debug_data.request_uri)
  by
    okta.actor.alternate_id,
    okta.authentication_context.external_session_id
| where
    Esql.dt_hash_count_distinct >= 4 and
    Esql.client_ip_count_distinct >= 2
| keep Esql.*, okta.*

Install detection rules in Elastic Security

Detect Multiple Device Token Hashes for Single Okta Session in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).