IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« First Occurrence of Okta User Session Started via Proxy Multiple Okta Client Addresses for a Single User Session »

› ›

Multiple Okta Users with the Same Device Token Hash

edit

Multiple Okta Users with the Same Device Token Hash

edit

Detects when Okta user or system events are reported for multiple users with the same device token hash.

Rule type: threshold

Rule indices:

filebeat-*
logs-okta*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

## Setup

Rule query

edit

event.dataset:okta.system and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:* and okta.event_type:(system* or user*)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/

« First Occurrence of Okta User Session Started via Proxy Multiple Okta Client Addresses for a Single User Session »