users may share an endpoint related to work or personal use in which separate okta accounts are used.

Techniques

T1110

Sample rules

Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy

source: elastic
technicques:
- T1110

Description

Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.

Detection logic

event.dataset:okta.system
    and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*
    and okta.event_type:user.authentication* and okta.security_context.is_proxy:true

Multiple Okta User Authentication Events with Same Device Token Hash

source: elastic
technicques:
- T1110

Description

Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.

Detection logic

FROM logs-okta*
| WHERE
    event.dataset == "okta.system"
    AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start")
    AND okta.debug_context.debug_data.dt_hash != "-"
    AND okta.outcome.reason == "INVALID_CREDENTIALS"
| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.actor.id, okta.actor.alternate_id, okta.outcome.reason
| STATS
    target_auth_count = COUNT_DISTINCT(okta.actor.id)
    BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id
| WHERE
    target_auth_count > 20
| SORT
    target_auth_count DESC

High Number of Okta Device Token Cookies Generated for Authentication

source: elastic
technicques:
- T1110

Description

Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.

Detection logic

FROM logs-okta*
| WHERE
    event.dataset == "okta.system"
    AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start")
    AND okta.debug_context.debug_data.request_uri == "/api/v1/authn"
    AND okta.outcome.reason == "INVALID_CREDENTIALS"
| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.client.ip, okta.actor.alternate_id, okta.debug_context.debug_data.request_uri, okta.outcome.reason
| STATS
    source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)
    BY okta.client.ip, okta.actor.alternate_id
| WHERE
    source_auth_count >= 30
| SORT
    source_auth_count DESC

Multiple Okta User Authentication Events with Client Address

source: elastic
technicques:
- T1110

Description

Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.

Detection logic

FROM logs-okta*
| WHERE
    event.dataset == "okta.system"
    AND (event.action == "user.session.start" OR event.action RLIKE "user\\.authentication(.*)")
    AND okta.outcome.reason == "INVALID_CREDENTIALS"
| KEEP okta.client.ip, okta.actor.alternate_id, okta.actor.id, event.action, okta.outcome.reason
| STATS
    source_auth_count = COUNT_DISTINCT(okta.actor.id)
    BY okta.client.ip, okta.actor.alternate_id
| WHERE
    source_auth_count > 5
| SORT
    source_auth_count DESC