You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml
+6-6Lines changed: 6 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -6,9 +6,9 @@ updated_date = "2025/10/22"
6
6
[rule]
7
7
author = ["Elastic"]
8
8
description = """
9
-
Identifies when a single Okta device trust hash (dt_hash) is associated with multiple operating system types. This is
10
-
highly anomalous because a device trust token is tied to a specific device and its operating system. This alert strongly
11
-
indicates that an attacker has stolen a device trust token and is using it to impersonate a legitimate user from a
9
+
Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is
10
+
highly anomalous because a device token token is tied to a specific device and its operating system. This alert strongly
11
+
indicates that an attacker has stolen a device token token and is using it to impersonate a legitimate user from a
12
12
different machine.
13
13
"""
14
14
false_positives = [
@@ -25,7 +25,7 @@ note = """## Triage and analysis
25
25
26
26
### Investigating Okta Multiple OS Names Detected for a Single DT Hash
27
27
28
-
This rule detects when a single Okta device trust hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device trust token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device trust token and is using it to impersonate a legitimate user from a different machine.
28
+
This rule detects when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token token and is using it to impersonate a legitimate user from a different machine.
29
29
30
30
### Possible investigation steps
31
31
- Review the `okta.debug_context.debug_data.dt_hash` field to identify the specific device
@@ -47,8 +47,8 @@ same dt_hash. This will help identify the nature of the anomaly.
47
47
- If compromise is confirmed, reset the user's credentials and enforce multi-factor authentication (MFA)
48
48
- Revoke any active sessions associated with the compromised account to prevent further unauthorized access.
49
49
- Review and monitor the affected dt_hash for any further suspicious activity.
50
-
- Educate users about the importance of device security and the risks associated with device trust tokens.
51
-
- Implement additional monitoring for device trust tokens and consider using conditional access policies to restrict access based on device compliance status.
50
+
- Educate users about the importance of device security and the risks associated with device token tokens.
51
+
- Implement additional monitoring for device token tokens and consider using conditional access policies to restrict access based on device compliance status.
0 commit comments