LoFP / shared systems such as kiosks and conference room computers may be used by multiple users.

Techniques

• T1110

Sample rules

Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy

• source: elastic
• technicques:
  • T1110

Description

Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.

Detection logic

event.dataset:okta.system
    and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*
    and okta.event_type:user.authentication* and okta.security_context.is_proxy:true