LoFP LoFP / shared systems such as kiosks and conference room computers may be used by multiple users.

Techniques

Sample rules

Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy

Description

Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.

Detection logic

event.dataset:okta.system
    and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*
    and okta.event_type:user.authentication* and okta.security_context.is_proxy:true

High Number of Okta Device Token Cookies Generated for Authentication

Description

Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.

Detection logic

from logs-okta*
| where
    event.dataset == "okta.system" and
    (event.action rlike "user\.authentication(.*)" or event.action == "user.session.start") and
    okta.debug_context.debug_data.request_uri == "/api/v1/authn" and
    okta.outcome.reason == "INVALID_CREDENTIALS"
| keep
    event.action,
    okta.debug_context.debug_data.dt_hash,
    okta.client.ip,
    okta.actor.alternate_id,
    okta.debug_context.debug_data.request_uri,
    okta.outcome.reason
| stats
    Esql.okta_debug_context_debug_data_dt_hash_count_distinct = count_distinct(okta.debug_context.debug_data.dt_hash)
  by
    okta.client.ip,
    okta.actor.alternate_id
| where
    Esql.okta_debug_context_debug_data_dt_hash_count_distinct >= 30
| sort
    Esql.okta_debug_context_debug_data_dt_hash_count_distinct desc

Multiple Okta User Authentication Events with Client Address

Description

Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.

Detection logic

from logs-okta*
| where
    event.dataset == "okta.system" and
    (event.action == "user.session.start" or event.action rlike "user\.authentication(.*)") and
    okta.outcome.reason == "INVALID_CREDENTIALS"
| keep
    okta.client.ip,
    okta.actor.alternate_id,
    okta.actor.id,
    event.action,
    okta.outcome.reason
| stats
    Esql.okta_actor_id_count_distinct = count_distinct(okta.actor.id)
  by
    okta.client.ip,
    okta.actor.alternate_id
| where
    Esql.okta_actor_id_count_distinct > 5
| sort
    Esql.okta_actor_id_count_distinct desc

Multiple Okta User Authentication Events with Same Device Token Hash

Description

Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.

Detection logic

from logs-okta*
| where
    event.dataset == "okta.system" and
    (event.action rlike "user\.authentication(.*)" or event.action == "user.session.start") and
    okta.debug_context.debug_data.dt_hash != "-" and
    okta.outcome.reason == "INVALID_CREDENTIALS"
| keep
    event.action,
    okta.debug_context.debug_data.dt_hash,
    okta.actor.id,
    okta.actor.alternate_id,
    okta.outcome.reason
| stats
    Esql.okta_actor_id_count_distinct = count_distinct(okta.actor.id)
  by
    okta.debug_context.debug_data.dt_hash,
    okta.actor.alternate_id
| where
    Esql.okta_actor_id_count_distinct > 20
| sort
    Esql.okta_actor_id_count_distinct desc