Okta Suspicious Use of a Session Cookie
THIS IS A EXPERIMENTAL DETECTION
This detection has been marked experimental by the Splunk Threat Research team. This means we have not been able to test, simulate, or build datasets for this detection. Use at your own risk. This analytic is NOT supported.
The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie. \
- Retrieves policy evaluation events from successful authentication events. \
- Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window. \
Evaluates whether there is more than one IP and whether there is more than one OS or browser for each combination of User/Device Token.
- Type: Hunting
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-03-17
- Author: Scott Dermott and Felicity Robson, Okta, Michael Haag, Splunk
- ID: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959e
Kill Chain Phase
- CIS 10
1 2 3 4 `okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) | stats earliest(_time) as _time values(client.ipAddress) as src_ip values(client.userAgent.rawUserAgent) as user_agent values(client.userAgent.os) as userAgentOS_list values(client.geographicalContext.city) as city values(client.userAgent.browser) as userAgentBrowser_list values(device.os_platform) as okta_device_os dc(client.userAgent.browser) as dc_userAgentBrowser dc(client.userAgent.os) as dc_userAgentOS dc(client.ipAddress) as dc_src_ip values(outcome.reason) as reason by debugContext.debugData.dtHash actor.alternateId | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter`
The SPL above uses the following Macros:
okta_suspicious_use_of_a_session_cookie_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
This analytic is specific to Okta and requires Okta:im2 logs to be ingested.
Known False Positives
False positives may be present based on organization size and configuration of Okta.
Associated Analytic Story
|56.0||80||70||A suspicious use of a session cookie was identified by user $actor.alternateId$.|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Replay any dataset to Splunk Enterprise by using our
replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1