This rule is part of a beta feature. To learn more, contact Support.

Set up the okta integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an active Okta session exhibits unusual changes in its ASN (Autonomous System Number) or user agent, potentially indicating session hijacking. This type of attack may allow unauthorized access to application tokens, posing a security risk.

Strategy

This rule lets you monitor all Okta user-generated events to determine when a user takes an action, except for:

  • user.session.clear
  • user.authentication.auth_via_mfa
  • user.session.end

Triage and response

  1. Check the specific Okta session events to confirm ASN or user agent changes for the affected session. Verify if the changes align with known travel or user activity patterns.
  2. Inspect the GeoIP information in the logs to identify unusual locations or ASNs associated with the user. Determine if these IPs are from suspicious or untrusted regions.
  3. If the user did not make the observed authentication attempts:
    • Rotate user credentials.
    • Confirm that no successful authentication attempts have been made.
    • Investigate the source IP: {{@network.client.ip}} using the Cloud SIEM - IP Investigation dashboard to determine if the IP address has taken other actions.
PREVIEWING: mcretzman/DOCS-9337-add-cloud-info-byoti