Detection rules › Panther
Okta Potentially Stolen Session
This rule looks for the same session being used from two devices, indicating a compromised session token.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1539 Steal Web Session Cookie |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- Failed Logins from Unknown or Invalid User (Kusto)
- First Occurrence of Okta User Session Started via Proxy (Elastic)
- High-Risk Admin Activity (Kusto)
- Multiple Okta Sessions Detected for a Single User (Elastic)
- Multiple Okta User Authentication Events with Same Device Token Hash (Elastic)
- New Device/Location sign-in along with critical operation (Kusto)
- Okta AiTM Session Cookie Replay (Elastic)
- Okta Login Signal (Panther)
Rule body yaml
AnalysisType: rule
Filename: okta_potentially_stolen_session.py
RuleID: Okta.PotentiallyStolenSession
DisplayName: Okta Potentially Stolen Session
Enabled: true
LogTypes:
- Okta.SystemLog
Tags:
- Identity & Access Management
- Okta
Reports:
MITRE ATT&CK:
- TA0006:T1539
Severity: High
Description: This rule looks for the same session being used from two devices, indicating a compromised session token.
Runbook: Confirm the session is used on two devices, one of which is unknown. Lock the users Okta account and clear the users sessions in down stream apps.
Reference: https://sec.okta.com/sessioncookietheft
SummaryAttributes:
- eventType
- severity
- p_any_ip_addresses
- p_any_domain_names
Tests:
- Name: Same device and OS
ExpectedResult: false
Mocks:
- objectName: get_string_set
returnValue: >
[
"263297",
"1.2.3.4",
"user_agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36",
"CHROME",
"Linux"
]
Log:
{
"actor":
{
"alternateId": "admin",
"displayName": "unknown",
"id": "unknown",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "123456789" },
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "Dois Irmaos",
"country": "Brazil",
"geolocation": { "lat": -29.6116, "lon": -51.0933 },
"postalCode": "93950",
"state": "Rio Grande do Sul",
},
"ipAddress": "1.2.3.4",
"userAgent":
{
"browser": "CHROME",
"os": "Linux",
"rawUserAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36",
},
"zone": "null",
},
"debugContext":
{
"debugData":
{
"loginResult": "VERIFICATION_ERROR",
"requestId": "redacted",
"requestUri": "redacted",
"threatSuspected": "false",
"url": "redacted",
"dtHash": "kzpx58a99d2oam082rlu588wgy1mb0zfi1e1l63f9cjx4uxc455k4t6xdiwbxian",
},
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_failed",
"outcome": { "reason": "VERIFICATION_ERROR", "result": "FAILURE" },
"p_any_domain_names": ["rnvtelecom.com.br"],
"p_any_ip_addresses": ["redacted"],
"p_event_time": "redacted",
"p_log_type": "Okta.SystemLog",
"p_parse_time": "redacted",
"p_row_id": "redacted",
"p_source_id": "redacted",
"p_source_label": "Okta",
"published": "redacted",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "Dois Irmaos",
"country": "Brazil",
"geolocation": { "lat": -29.6116, "lon": -51.0933 },
"postalCode": "93950",
"state": "Rio Grande do Sul",
},
"ip": "redacted",
"version": "V4",
},
],
},
"securityContext":
{
"asNumber": 263297,
"asOrg": "renovare telecom",
"domain": "rnvtelecom.com.br",
"isProxy": false,
"isp": "renovare telecom",
},
"severity": "INFO",
"transaction": { "detail": {}, "id": "redacted", "type": "WEB" },
"uuid": "redacted",
"version": "0",
}
- Name: Different device & ASN
ExpectedResult: true
Mocks:
- objectName: get_string_set
returnValue: >
[
"123456",
"4.3.2.1",
"user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36",
"CHROME",
"MacOS"
]
Log:
{
"actor":
{
"alternateId": "admin",
"displayName": "Bobert",
"id": "unknown",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "123456789" },
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "Dois Irmaos",
"country": "Brazil",
"geolocation": { "lat": -29.6116, "lon": -51.0933 },
"postalCode": "93950",
"state": "Rio Grande do Sul",
},
"ipAddress": "1.2.3.4",
"userAgent":
{
"browser": "CHROME",
"os": "Linux",
"rawUserAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36",
},
"zone": "null",
},
"debugContext":
{
"debugData":
{
"dtHash": "kzpx58a99d2oam082rlu588wgy1mb0zfi1e1l63f9cjx4uxc455k4t6xdiwbxian",
"loginResult": "VERIFICATION_ERROR",
"requestId": "redacted",
"requestUri": "redacted",
"threatSuspected": "false",
"url": "redacted",
},
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_failed",
"outcome": { "reason": "VERIFICATION_ERROR", "result": "FAILURE" },
"p_any_domain_names": ["rnvtelecom.com.br"],
"p_any_ip_addresses": ["redacted"],
"p_event_time": "redacted",
"p_log_type": "Okta.SystemLog",
"p_parse_time": "redacted",
"p_row_id": "redacted",
"p_source_id": "redacted",
"p_source_label": "Okta",
"published": "redacted",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "Dois Irmaos",
"country": "Brazil",
"geolocation": { "lat": -29.6116, "lon": -51.0933 },
"postalCode": "93950",
"state": "Rio Grande do Sul",
},
"ip": "redacted",
"version": "V4",
},
],
},
"securityContext":
{
"asNumber": 263297,
"asOrg": "renovare telecom",
"domain": "rnvtelecom.com.br",
"isProxy": false,
"isp": "renovare telecom",
},
"severity": "INFO",
"transaction": { "detail": {}, "id": "redacted", "type": "WEB" },
"uuid": "redacted",
"version": "0",
}
- Name: Different ASN & same device
ExpectedResult: false
Mocks:
- objectName: get_string_set
returnValue: >
[
"654321",
"1.2.3.4",
"user_agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36",
"CHROME",
"Linux"
]
Log:
{
"actor":
{
"alternateId": "admin",
"displayName": "Bobert",
"id": "unknown",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "123456789" },
"client":
{
"device": "Computer",
"geographicalContext":
{
"city": "Dois Irmaos",
"country": "Brazil",
"geolocation": { "lat": -29.6116, "lon": -51.0933 },
"postalCode": "93950",
"state": "Rio Grande do Sul",
},
"ipAddress": "1.2.3.4",
"userAgent":
{
"browser": "CHROME",
"os": "Linux",
"rawUserAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36",
},
"zone": "null",
},
"debugContext":
{
"debugData":
{
"loginResult": "VERIFICATION_ERROR",
"requestId": "redacted",
"requestUri": "redacted",
"threatSuspected": "false",
"url": "redacted",
"dtHash": "kzpx58a99d2oam082rlu588wgy1mb0zfi1e1l63f9cjx4uxc455k4t6xdiwbxian",
},
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_failed",
"outcome": { "reason": "VERIFICATION_ERROR", "result": "FAILURE" },
"p_any_domain_names": ["rnvtelecom.com.br"],
"p_any_ip_addresses": ["redacted"],
"p_event_time": "redacted",
"p_log_type": "Okta.SystemLog",
"p_parse_time": "redacted",
"p_row_id": "redacted",
"p_source_id": "redacted",
"p_source_label": "Okta",
"published": "redacted",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "Dois Irmaos",
"country": "Brazil",
"geolocation": { "lat": -29.6116, "lon": -51.0933 },
"postalCode": "93950",
"state": "Rio Grande do Sul",
},
"ip": "redacted",
"version": "V4",
},
],
},
"securityContext":
{
"asNumber": 263297,
"asOrg": "renovare telecom",
"domain": "rnvtelecom.com.br",
"isProxy": false,
"isp": "renovare telecom",
},
"severity": "INFO",
"transaction": { "detail": {}, "id": "redacted", "type": "WEB" },
"uuid": "redacted",
"version": "0",
}
- Name: Okta internal event should be ignored
ExpectedResult: false
Mocks:
- objectName: get_string_set
returnValue: >
[
"123456",
"4.3.2.1",
"user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36",
"CHROME",
"MacOS"
]
Log:
{
"actor":
{
"alternateId": "admin",
"displayName": "Bobert",
"id": "unknown",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "123456789" },
"client":
{
"device": "Unknown",
"geographicalContext":
{
"city": "Boardman",
"country": "United States",
"geolocation": { "lat": 45.8234, "lon": -119.7257 },
"postalCode": "97818",
"state": "Oregon",
},
"id": "okta.b58d5b75-07d4-5f25-bf59-368a1261a405",
"ipAddress": "44.238.82.114",
"userAgent":
{
"browser": "UNKNOWN",
"os": "Unknown",
"rawUserAgent": "Okta-Integrations",
},
"zone": "null",
},
"debugContext":
{
"debugData":
{
"loginResult": "VERIFICATION_ERROR",
"requestId": "redacted",
"requestUri": "redacted",
"threatSuspected": "false",
"url": "redacted",
},
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_failed",
"outcome": { "reason": "VERIFICATION_ERROR", "result": "FAILURE" },
"p_any_domain_names": ["rnvtelecom.com.br"],
"p_any_ip_addresses": ["redacted"],
"p_event_time": "redacted",
"p_log_type": "Okta.SystemLog",
"p_parse_time": "redacted",
"p_row_id": "redacted",
"p_source_id": "redacted",
"p_source_label": "Okta",
"published": "redacted",
"request":
{
"ipChain":
[
{
"geographicalContext":
{
"city": "Boardman",
"country": "United States",
"geolocation": { "lat": 45.8234, "lon": -119.7257 },
"postalCode": "97818",
"state": "Oregon",
},
"ip": "44.238.82.114",
"version": "V4",
},
],
},
"securityContext": {},
"severity": "INFO",
"transaction": { "detail": {}, "id": "redacted", "type": "WEB" },
"uuid": "redacted",
"version": "0",
}
Detection logic
Condition
client.id not in "okta.b58d5b75-07d4-5f25-bf59-368a1261a405"
not (eventType not in ["user.authentication.sso", "user.session.start"] or authenticationContext.externalSessionId eq "unknown" or debugContext.debugData.dtHash eq "unknown")
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
eventType | in | user.authentication.sso, user.session.start |
authenticationContext.externalSessionId | eq | unknown |
debugContext.debugData.dtHash | eq | unknown |
client.id | eq | okta.b58d5b75-07d4-5f25-bf59-368a1261a405 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventType | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
event_type | eventtype |
severity | |
actor | |
client | |
request | |
outcome | |
target | |
debug_context | debugcontext |
authentication_context | authenticationcontext |
security_context | securitycontext |
ips | p_any_ip_addresses |
displayName | actor.displayName |