Okta session hijacking

This rule is part of a beta feature. To learn more, contact Support.
okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1528-steal-application-access-token

Set up the okta integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an active Okta session exhibits unusual changes in its ASN (Autonomous System Number) or user agent, potentially indicating session hijacking. This type of attack may allow unauthorized access to application tokens, posing a security risk.

Strategy

This rule lets you monitor all Okta user-generated events to determine when a user takes an action, except for:

  • user.session.clear
  • user.authentication.auth_via_mfa
  • user.session.end

Triage and response

  1. Check the specific Okta session events to confirm ASN or user agent changes for the affected session. Verify if the changes align with known travel or user activity patterns.
  2. Inspect the GeoIP information in the logs to identify unusual locations or ASNs associated with the user. Determine if these IPs are from suspicious or untrusted regions.
  3. If the user did not make the observed authentication attempts:
    • Rotate user credentials.
    • Confirm that no successful authentication attempts have been made.
    • Investigate the source IP: {{@network.client.ip}} using the Cloud SIEM - IP Investigation dashboard to determine if the IP address has taken other actions.
PREVIEWING: Cyril-Bouchiat/add-vm-package-explorer-doc