Techniques
Sample rules
Okta Suspicious Use of a Session Cookie
- source: splunk
- technicques:
- T1539
Description
The following analytic identifies suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user. It leverages policy evaluation events from successful authentication logs in Okta. This activity is significant as it may indicate an adversary attempting to reuse a stolen web session cookie, potentially bypassing authentication mechanisms. If confirmed malicious, this could allow unauthorized access to user accounts, leading to data breaches or further exploitation within the environment.
Detection logic
`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS)
| stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason by debugContext.debugData.dtHash, user
| where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1)
| `okta_suspicious_use_of_a_session_cookie_filter`