Techniques
Sample rules
Okta Suspicious Use of a Session Cookie
- source: splunk
- technicques:
- T1539
Description
The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie.
- Retrieves policy evaluation events from successful authentication events.
- Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window.
- It checks for the presence of more than one IP and whether there are multiple OS or browsers for each User/Device Token combination.
Detection logic
`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS)
| stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason by debugContext.debugData.dtHash, user
| where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1)
| `okta_suspicious_use_of_a_session_cookie_filter`