[Rule Tuning] Multiple Device Token Hashes for Single Okta Session (#5948)

Fixes #5947

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

Author: 3 people

rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml

@@ -2,54 +2,54 @@
 creation_date = "2023/11/08"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/04/13"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may
-indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a
-session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.
+This rule detects when a specific Okta actor has multiple device token hashes and multiple source IPs for a single Okta
+session. This may indicate an authenticated session has been hijacked or replayed from a different device and network.
+Adversaries may steal session cookies or tokens to gain unauthorized access to Okta admin console, applications,
+tenants, or other resources.
 """
 from = "now-9m"
+interval = "8m"
 language = "esql"
 license = "Elastic License v2"
 name = "Multiple Device Token Hashes for Single Okta Session"
 note = """## Triage and analysis
 
 ### Investigating Multiple Device Token Hashes for Single Okta Session
 
-This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.
+This rule detects when a specific Okta actor has multiple device token hashes and multiple source IPs for a single Okta session. This may indicate an authenticated session has been hijacked or replayed from a different device and network. Adversaries may steal session cookies or tokens to gain unauthorized access to Okta admin console, applications, tenants, or other resources.
+
+> **Note**: This is an ES|QL aggregation-based rule. Exceptions can be added on the original ECS or integration-related fields. We recommend using the indicators from the alert document to pivot into the raw events for analysis.
 
 #### Possible investigation steps:
-- Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.
-- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
-- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
-- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.
-    - Historical analysis should indicate if this device token hash is commonly associated with the user.
-- Review the `okta.event_type` field to determine the type of authentication event that occurred.
-    - Authentication events have been filtered out to focus on Okta activity via established sessions.
-- Review the past activities of the actor(s) involved in this action by checking their previous actions.
-- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.
-    - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.
-- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action.
-    - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily.
+- Use `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` from the alert to pivot into the raw Okta system log events for the affected session.
+- Review the source IPs (`okta.client.ip`) and ASN information (`source.as.organization.name`) to determine if the session was used from multiple distinct networks.
+    - Multiple ASNs or geolocations (`client.geo.country_name`, `client.geo.city_name`) within the same session strongly suggest session hijacking.
+- Compare the `okta.debug_context.debug_data.dt_hash` values to identify the device token hashes associated with the session.
+    - A legitimate session should have a consistent device token hash. Multiple distinct hashes indicate the session cookie may have been replayed from a different device.
+- Examine `okta.client.user_agent.raw_user_agent` and `okta.client.device` for inconsistencies that suggest different devices or browsers using the same session.
+- Review `event.action` to understand what actions were performed during the session.
+    - Look for suspicious post-authentication activity such as admin console access, policy changes, or application assignment modifications.
+- Check `okta.debug_context.debug_data.risk_level`, `okta.debug_context.debug_data.risk_reasons`, and `okta.debug_context.debug_data.behaviors` for Okta's own risk assessment of the session activity.
+- Review the past activities of the actor(s) involved by checking their previous sessions and login patterns.
 
 ### False positive analysis:
-- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established.
+- OAuth application integrations (e.g., backend services exchanging authorization codes for tokens) can generate multiple device token hashes per session due to the multi-step token grant flow. These typically involve `Okta-Integrations` user agents and known infrastructure IPs.
+- Users switching between networks (e.g., VPN reconnects, WiFi to cellular transitions) may produce multiple source IPs for the same session, though the device token hash should remain consistent.
+- Automated tools or scripts that interact with Okta APIs on behalf of a user may generate additional device token hashes.
 
 ### Response and remediation:
-- Consider stopping all sessions for the user(s) involved in this action.
-- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA).
-    - If MFA is already enabled, consider resetting MFA for the users.
-- If any of the users are not legitimate, consider deactivating the user's account.
-- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
-- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.
-    - If so, confirm with the user this was a legitimate request.
-    - If so and this was not a legitimate request, consider deactivating the user's account temporarily.
-        - Reset passwords and reset MFA for the user.
-- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.
-    - This should be done with caution as it may prevent legitimate alerts from being generated.
+- If the alert shows multiple distinct ASNs or geolocations for the same session, immediately revoke all active sessions for the affected user via the Okta admin console.
+- Reset the user's password and all active MFA factors.
+    - If MFA is not enabled, enforce MFA enrollment before allowing re-authentication.
+- Review Okta system logs for any administrative or sensitive actions performed during the suspicious session window.
+- If the session was used to access downstream applications, review those application logs for unauthorized activity.
+- Check with the user to confirm whether they were actively using Okta during the alert time window.
+- For recurring false positives from known integrations, add exceptions on `okta.actor.alternate_id` for the specific service account or application client ID.
 """
 references = [
     "https://developer.okta.com/docs/reference/api/system-log/",
@@ -62,22 +62,20 @@ references = [
 ]
 risk_score = 47
 rule_id = "cc382a2e-7e52-11ee-9aac-f661ea17fbcd"
-setup = """## Setup
-
-The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 severity = "medium"
 tags = [
-    "Use Case: Identity and Access Audit",
+    "Domain: Identity",
+    "Domain: SaaS",
     "Data Source: Okta",
+    "Data Source: Okta System Logs",
     "Tactic: Credential Access",
-    "Domain: SaaS",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-from logs-okta*
+from logs-okta.system-*
 | where
     data_stream.dataset == "okta.system" and
     not event.action in (
@@ -87,21 +85,48 @@ from logs-okta*
     ) and
     okta.actor.alternate_id != "system@okta.com" and
     okta.actor.alternate_id rlike "[^@\\s]+\\@[^@\\s]+" and
-    okta.authentication_context.external_session_id != "unknown"
-| keep
-    event.action,
-    okta.actor.alternate_id,
-    okta.authentication_context.external_session_id,
-    okta.debug_context.debug_data.dt_hash
+    okta.authentication_context.external_session_id != "unknown" and
+    (
+        okta.authentication_context.external_session_id IS NOT NULL and
+        okta.debug_context.debug_data.dt_hash IS NOT NULL and
+        okta.client.ip IS NOT NULL and
+        okta.client.user_agent.raw_user_agent IS NOT NULL
+    ) and
+    (
+        okta.authentication_context.external_session_id != "-" and
+        okta.debug_context.debug_data.dt_hash != "-" and
+        okta.client.user_agent.raw_user_agent != "-"
+    )
 | stats
-    Esql.okta_debug_context_debug_data_dt_hash_count_distinct = count_distinct(okta.debug_context.debug_data.dt_hash)
+    Esql.dt_hash_count_distinct = count_distinct(okta.debug_context.debug_data.dt_hash),
+    Esql.client_ip_count_distinct = count_distinct(okta.client.ip),
+    Esql.event_count = count(*),
+    Esql.first_event_time = min(@timestamp),
+    Esql.last_event_time = max(@timestamp),
+    Esql.dt_hash_values = values(okta.debug_context.debug_data.dt_hash),
+    Esql.event_action_values = values(event.action),
+    Esql.client_ip_values = values(okta.client.ip),
+    Esql.user_agent_values = values(okta.client.user_agent.raw_user_agent),
+    Esql.device_values = values(okta.client.device),
+    Esql.is_proxy_values = values(okta.security_context.is_proxy),
+    Esql.geo_country_name_values = values(client.geo.country_name),
+    Esql.geo_city_name_values = values(client.geo.city_name),
+    Esql.source_asn_number_values = values(source.`as`.number),
+    Esql.source_asn_org_name_values = values(source.`as`.organization.name),
+    Esql.threat_suspected_values = values(okta.debug_context.debug_data.threat_suspected),
+    Esql.risk_level_values = values(okta.debug_context.debug_data.risk_level),
+    Esql.risk_reasons_values = values(okta.debug_context.debug_data.risk_reasons),
+    Esql.behaviors_values = values(okta.debug_context.debug_data.behaviors),
+    Esql.device_fingerprint_values = values(okta.debug_context.debug_data.device_fingerprint),
+    Esql.risk_behaviors_values = values(okta.debug_context.debug_data.risk_behaviors),
+    Esql.request_uri_values = values(okta.debug_context.debug_data.request_uri)
   by
     okta.actor.alternate_id,
     okta.authentication_context.external_session_id
 | where
-    Esql.okta_debug_context_debug_data_dt_hash_count_distinct >= 2
-| sort
-    Esql.okta_debug_context_debug_data_dt_hash_count_distinct desc
+    Esql.dt_hash_count_distinct >= 4 and
+    Esql.client_ip_count_distinct >= 2
+| keep Esql.*, okta.*
 '''