[New Rule] Okta Multiple OS Names Detected for a Single DT Hash #5241
+107
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,107 @@ | ||||||||
| [metadata] | ||||||||
| creation_date = "2025/10/22" | ||||||||
| maturity = "production" | ||||||||
| updated_date = "2025/10/22" | ||||||||
|
|
||||||||
| [rule] | ||||||||
| author = ["Elastic"] | ||||||||
| description = """ | ||||||||
| Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is | ||||||||
| highly anomalous because a device token token is tied to a specific device and its operating system. This alert strongly | ||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||
| indicates that an attacker has stolen a device token token and is using it to impersonate a legitimate user from a | ||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
is this double token token intentional? It's in the investigation guide as well |
||||||||
| different machine. | ||||||||
| """ | ||||||||
| false_positives = [ | ||||||||
| """ | ||||||||
| Applications will tag the operating system as null when the device is not recognized as a managed device. In | ||||||||
| environments where users frequently switch between managed and unmanaged devices, this may lead to false positives. | ||||||||
| """, | ||||||||
| ] | ||||||||
| from = "now-60m" | ||||||||
| index = ["logs-okta.system-*"] | ||||||||
| language = "kuery" | ||||||||
| name = "Okta Multiple OS Names Detected for a Single DT Hash" | ||||||||
| note = """## Triage and analysis | ||||||||
|
|
||||||||
| ### Investigating Okta Multiple OS Names Detected for a Single DT Hash | ||||||||
|
|
||||||||
| This rule detects when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token token and is using it to impersonate a legitimate user from a different machine. | ||||||||
|
|
||||||||
| ### Possible investigation steps | ||||||||
| - Review the `okta.debug_context.debug_data.dt_hash` field to identify the specific device | ||||||||
| trust hash associated with multiple operating systems. | ||||||||
| - Examine the `user.email` field to determine which user account is associated with the suspicious activity | ||||||||
| - Analyze the `source.ip` field to identify the IP addresses from which the different operating systems were reported. Look for any unusual or unexpected locations. | ||||||||
| - Review the `user_agent.os.name` field to see the different operating systems reported for the | ||||||||
| same dt_hash. This will help identify the nature of the anomaly. | ||||||||
| - Check the `event.action` field to understand the context of the authentication events (e.g., MFA verification, standard authentication). | ||||||||
| - Investigate the timeline of events to see when the different operating systems were reported for the same dt_hash. Look for patterns or sequences that may indicate malicious activity. | ||||||||
| - Correlate this activity with other security events in your environment, such as failed login attempts, unusual access patterns, or alerts from endpoint security solutions. | ||||||||
|
|
||||||||
| ### False positive analysis | ||||||||
| - Applications will tag the operating system as null when the device is not recognized as a managed device | ||||||||
| - In environments where users frequently switch between managed and unmanaged devices, this may lead to false positives. | ||||||||
|
|
||||||||
| ### Response and remediation | ||||||||
| - Immediately investigate the user account associated with the suspicious activity to determine if it has been compromised. | ||||||||
| - If compromise is confirmed, reset the user's credentials and enforce multi-factor authentication (MFA) | ||||||||
| - Revoke any active sessions associated with the compromised account to prevent further unauthorized access. | ||||||||
| - Review and monitor the affected dt_hash for any further suspicious activity. | ||||||||
| - Educate users about the importance of device security and the risks associated with device token tokens. | ||||||||
| - Implement additional monitoring for device token tokens and consider using conditional access policies to restrict access based on device compliance status. | ||||||||
| """ | ||||||||
| risk_score = 73 | ||||||||
| rule_id = "fb3ca230-af4e-11f0-900d-f661ea17fbcc" | ||||||||
| severity = "high" | ||||||||
| tags = [ | ||||||||
| "Domain: Identity", | ||||||||
| "Data Source: Okta", | ||||||||
| "Data Source: Okta System Logs", | ||||||||
| "Use Case: Threat Detection", | ||||||||
| "Tactic: Credential Access", | ||||||||
| ] | ||||||||
| timestamp_override = "event.ingested" | ||||||||
| type = "threshold" | ||||||||
|
|
||||||||
| query = ''' | ||||||||
| data_stream.dataset: "okta.system" | ||||||||
| and not okta.debug_context.debug_data.dt_hash: "-" | ||||||||
| and user_agent.os.name: * | ||||||||
| and event.action: ( | ||||||||
| "user.authentication.verify" or | ||||||||
| "user.authentication.auth_via_mfa" | ||||||||
| ) | ||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
Do we care about failed attempts? |
||||||||
| ''' | ||||||||
|
|
||||||||
|
|
||||||||
| [[rule.threat]] | ||||||||
| framework = "MITRE ATT&CK" | ||||||||
| [[rule.threat.technique]] | ||||||||
| id = "T1539" | ||||||||
| name = "Steal Web Session Cookie" | ||||||||
| reference = "https://attack.mitre.org/techniques/T1539/" | ||||||||
|
|
||||||||
|
|
||||||||
| [rule.threat.tactic] | ||||||||
| id = "TA0006" | ||||||||
| name = "Credential Access" | ||||||||
| reference = "https://attack.mitre.org/tactics/TA0006/" | ||||||||
|
|
||||||||
| [rule.investigation_fields] | ||||||||
| field_names = [ | ||||||||
| "@timestamp", | ||||||||
| "okta.debug_context.debug_data.dt_hash", | ||||||||
| "user.email", | ||||||||
| "source.ip", | ||||||||
| "user_agent.os.name", | ||||||||
| "event.action", | ||||||||
| ] | ||||||||
|
|
||||||||
| [rule.threshold] | ||||||||
| field = ["okta.debug_context.debug_data.dt_hash"] | ||||||||
| value = 1 | ||||||||
| [[rule.threshold.cardinality]] | ||||||||
| field = "user_agent.os.name" | ||||||||
| value = 2 | ||||||||
|
|
||||||||
|
|
||||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.