Techniques
Sample rules
Multiple Okta User Authentication Events with Same Device Token Hash
- source: elastic
- technicques:
- T1110
Description
Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.
Detection logic
from logs-okta*
| where
event.dataset == "okta.system" and
(event.action like "user.authentication.*" or event.action == "user.session.start") and
okta.debug_context.debug_data.dt_hash != "-" and
okta.outcome.reason == "INVALID_CREDENTIALS"
| keep
event.action,
okta.debug_context.debug_data.dt_hash,
okta.actor.id,
okta.actor.alternate_id,
okta.outcome.reason
| stats
Esql.okta_actor_id_count_distinct = count_distinct(okta.actor.id)
by
okta.debug_context.debug_data.dt_hash,
okta.actor.alternate_id
| where
Esql.okta_actor_id_count_distinct > 20
| sort
Esql.okta_actor_id_count_distinct desc
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
- source: elastic
- technicques:
- T1110
Description
Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.
Detection logic
event.dataset:okta.system
and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*
and okta.event_type:user.authentication* and okta.security_context.is_proxy:true