Detection: Okta Suspicious Use of a Session Cookie

Description

The following analytic identifies suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user. It leverages policy evaluation events from successful authentication logs in Okta. This activity is significant as it may indicate an adversary attempting to reuse a stolen web session cookie, potentially bypassing authentication mechanisms. If confirmed malicious, this could allow unauthorized access to user accounts, leading to data breaches or further exploitation within the environment.

1`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) 
2| stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason by debugContext.debugData.dtHash, user 
3| where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) 
4| `okta_suspicious_use_of_a_session_cookie_filter`

Data Source

Name Platform Sourcetype Source Supported App
Okta N/A 'OktaIM2:log' 'Okta' N/A

Macros Used

Name Value
okta eventtype=okta_log OR sourcetype = "OktaIM2:log"
okta_suspicious_use_of_a_session_cookie_filter search *
okta_suspicious_use_of_a_session_cookie_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1539 Steal Web Session Cookie Credential Access
KillChainPhase.EXPLOITAITON
NistCategory.DE_AE
Cis18Value.CIS_10
Evilnum
LuminousMoth
Sandworm Team
Scattered Spider

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).

Known False Positives

False positives may occur, depending on the organization's size and the configuration of Okta.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
A user [$user$] is attempting to use a session cookie from multiple IP addresses or devices. Investigate further to determine if this was authorized. 56 80 70
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset Okta OktaIM2:log
Integration ✅ Passing Dataset Okta OktaIM2:log

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 3