Techniques
Sample rules
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
- source: elastic
- technicques:
- T1110
Description
Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.
Detection logic
event.dataset:okta.system
and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*
and okta.event_type:user.authentication* and okta.security_context.is_proxy:true
Multiple Okta User Authentication Events with Same Device Token Hash
- source: elastic
- technicques:
- T1110
Description
Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.
Detection logic
FROM logs-okta*
| WHERE
event.dataset == "okta.system"
AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start")
AND okta.debug_context.debug_data.dt_hash != "-"
AND okta.outcome.reason == "INVALID_CREDENTIALS"
| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.actor.id, okta.actor.alternate_id, okta.outcome.reason
| STATS
target_auth_count = COUNT_DISTINCT(okta.actor.id)
BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id
| WHERE
target_auth_count > 20
| SORT
target_auth_count DESC
High Number of Okta Device Token Cookies Generated for Authentication
- source: elastic
- technicques:
- T1110
Description
Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.
Detection logic
FROM logs-okta*
| WHERE
event.dataset == "okta.system"
AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start")
AND okta.debug_context.debug_data.request_uri == "/api/v1/authn"
AND okta.outcome.reason == "INVALID_CREDENTIALS"
| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.client.ip, okta.actor.alternate_id, okta.debug_context.debug_data.request_uri, okta.outcome.reason
| STATS
source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)
BY okta.client.ip, okta.actor.alternate_id
| WHERE
source_auth_count >= 30
| SORT
source_auth_count DESC
Multiple Okta User Authentication Events with Client Address
- source: elastic
- technicques:
- T1110
Description
Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.
Detection logic
FROM logs-okta*
| WHERE
event.dataset == "okta.system"
AND (event.action == "user.session.start" OR event.action RLIKE "user\\.authentication(.*)")
AND okta.outcome.reason == "INVALID_CREDENTIALS"
| KEEP okta.client.ip, okta.actor.alternate_id, okta.actor.id, event.action, okta.outcome.reason
| STATS
source_auth_count = COUNT_DISTINCT(okta.actor.id)
BY okta.client.ip, okta.actor.alternate_id
| WHERE
source_auth_count > 5
| SORT
source_auth_count DESC