Okta Suspicious Session Cookie Use
This detection identifies the suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user, potentially indicating credential access and unauthorized account access.
This analytic detects the suspicious use of session cookies within Okta environments. The activity is identified by tracking multiple client attribute changes (IP address, User Agent, OS) associated with the same device token and user. This behavior is indicative of an attacker attempting to reuse stolen session cookies. The detection leverages Okta policy evaluation events (policy.evaluate_sign_on) and filters for successful authentication attempts to identify deviations in user behavior. The scope includes any organization using Okta for identity management. Defenders should be aware of this technique as it can bypass multi-factor authentication, granting unauthorized access to user accounts and sensitive resources.
Attack Chain
- Attacker gains access to a valid Okta session cookie (e.g., via malware or phishing).
- Attacker attempts to authenticate to Okta using the stolen session cookie.
- Okta generates a policy evaluation event (policy.evaluate_sign_on) upon successful authentication.
- The attacker initiates subsequent login attempts from a different IP address than the original session.
- The attacker may also change the User-Agent string (browser/OS) to further mask their activity.
- Okta logs these changes in client attributes (client.ipAddress, client.userAgent) associated with the same device token (debugContext.debugData.dtHash).
- The detection identifies the multiple client attribute changes, specifically IP address, browser, and OS.
- If the activity is not authorized, the attacker gains unauthorized access to the user's Okta account, potentially leading to further lateral movement and data exfiltration.
Impact
Compromised Okta accounts can lead to significant data breaches and unauthorized access to sensitive applications and resources. Attackers can leverage these accounts for lateral movement within the network and access confidential data stored within cloud applications. The number of affected users depends on the scope of the compromised Okta tenant. Organizations in all sectors are potentially vulnerable.
Recommendation
- Deploy the Sigma rule
Okta Suspicious Session Cookie Useto your SIEM and tune for your environment to detect the described activity. - Investigate any alerts generated by the
Okta Suspicious Session Cookie Userule, focusing on identifying the source of the session cookie theft and any subsequent unauthorized access. - Ensure that Okta logs, specifically
OktaIm2logs, are being ingested through the Splunk Add-on for Okta Identity Cloud to enable the detection (reference: https://splunkbase.splunk.com/app/6553). - Monitor Okta policy evaluation events (
policy.evaluate_sign_on) for unexpected changes in client attributes (IP address, user agent) associated with the same device token. - Review Okta's risk scoring and authentication policies to strengthen defenses against session cookie theft and reuse.
Detection coverage 2
Okta Suspicious Session Cookie Use
highDetects suspicious use of a session cookie by identifying multiple client IP addresses and/or User Agents associated with the same device token.
Okta Multiple Geolocation Anomalies
mediumDetects anomalies in geolocation data associated with Okta authentication events, potentially indicating account compromise or unauthorized access.
Detection queries are available on the platform. Get full rules →