a user may have multiple sessions open at the same time, such as on a mobile device and a laptop.

t1550
okta
elastic

Techniques

T1550

Sample rules

Multiple Okta Sessions Detected for a Single User

source: elastic
technicques:
- T1550

Description

Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user’s session cookie and is using it to access the user’s account from a different location.

Detection logic

event.dataset:okta.system
    and okta.event_type:user.session.start
    and okta.authentication_context.external_session_id:*
    and not (okta.actor.id: okta* or okta.actor.display_name: okta*)