Detection: Okta Suspicious Use of a Session Cookie

Updated Date: 2025-01-21 ID: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959e Author: Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic identifies suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user. It leverages policy evaluation events from successful authentication logs in Okta. This activity is significant as it may indicate an adversary attempting to reuse a stolen web session cookie, potentially bypassing authentication mechanisms. If confirmed malicious, this could allow unauthorized access to user accounts, leading to data breaches or further exploitation within the environment.

Search

1`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) 
2| stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason by debugContext.debugData.dtHash, user 
3| where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) 
4| `okta_suspicious_use_of_a_session_cookie_filter`

Data Source

Name	Platform	Sourcetype	Source
Okta	N/A	`'OktaIM2:log'`	`'Okta'`

Macros Used

Name	Value
okta	`eventtype=okta_log OR sourcetype = "OktaIM2:log"`
okta_suspicious_use_of_a_session_cookie_filter	`search *`

okta_suspicious_use_of_a_session_cookie_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1539	Steal Web Session Cookie	Credential Access

Exploitation

DE.AE

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).

Known False Positives

False positives may occur, depending on the organization's size and the configuration of Okta.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

A user [$user$] is attempting to use a session cookie from multiple IP addresses or devices. Investigate further to determine if this was authorized.

Risk Object	Risk Object Type	Risk Score	Threat Objects
user	user	56	No Threat Objects

References

https://attack.mitre.org/techniques/T1539/

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`Okta`	`OktaIM2:log`
Integration	✅ Passing	Dataset	`Okta`	`OktaIM2:log`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 5