Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1528-steal-application-access-token

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the okta integration.

Goal

Detect when an active Okta session exhibits unusual changes in its ASN (Autonomous System Number) or user agent, potentially indicating session hijacking. This type of attack may allow unauthorized access to application tokens, posing a security risk.

Strategy

This rule lets you monitor all Okta user-generated events to determine when a user takes an action, except for:

• user.session.clear
• user.authentication.auth_via_mfa
• user.session.end

Triage and response

1. Check the specific Okta session events to confirm ASN or user agent changes for the affected session. Verify if the changes align with known travel or user activity patterns.
2. Inspect the GeoIP information in the logs to identify unusual locations or ASNs associated with the user. Determine if these IPs are from suspicious or untrusted regions.
3. If the user did not make the observed authentication attempts:
   • Rotate user credentials.
   • Confirm that no successful authentication attempts have been made.
   • Investigate the source IP: {{@network.client.ip}} using the Cloud SIEM - IP Investigation dashboard to determine if the IP address has taken other actions.