IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Okta User Sessions Started from Different Geolocations
editOkta User Sessions Started from Different Geolocations
editDetects when a specific Okta actor has multiple sessions started from different geolocations.
Rule type: threshold
Rule indices:
- filebeat-*
- logs-okta*
Severity: medium
Risk score: 47
Runs every: 15m
Searches indices from: now-30m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
- https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
- https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/
Tags:
- Use Case: Identity and Access Audit
- Data Source: Okta
- Tactic: Initial Access
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editRule query
editevent.dataset:okta.system and okta.event_type:user.session.start and not okta.security_context.is_proxy:true
and okta.actor.id:* and client.geo.country_name:*
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/