From 30fe68addd96f48f98ad577efba35a35b730994a Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 22 Oct 2025 10:28:28 -0400 Subject: [PATCH 1/8] [New Rule] Okta Multiple OS Names Detected for a Single DT Hash Fixes #5240 --- ...multiple_user_agent_os_authentication.toml | 105 ++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml new file mode 100644 index 00000000000..fb179c70e47 --- /dev/null +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -0,0 +1,105 @@ +[metadata] +creation_date = "2025/10/22" +maturity = "production" +updated_date = "2025/10/22" + +[rule] +author = ["Elastic"] +description = """ +Identifies when a single Okta device trust hash (dt_hash) is associated with multiple operating system types. This is +highly anomalous because a device trust token is tied to a specific device and its operating system. This alert strongly +indicates that an attacker has stolen a device trust token and is using it to impersonate a legitimate user from a +different machine. +""" +false_positives = [ + """ + Applications will tag the operating system as null when the device is not recognized as a managed device. In + environments where users frequently switch between managed and unmanaged devices, this may lead to false positives. + """, +] +from = "now-60m" +index = ["logs-okta.system-*"] +interval = "5m" +language = "kuery" +name = "Okta Multiple OS Names Detected for a Single DT Hash" +note = """## Triage and analysis + +### Investigating Okta Multiple OS Names Detected for a Single DT Hash + +This rule detects when a single Okta device trust hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device trust token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device trust token and is using it to impersonate a legitimate user from a different machine. + +### Possible investigation steps +- Review the `okta.debug_context.debug_data.dt_hash` field to identify the specific device +trust hash associated with multiple operating systems. +- Examine the `user.email` field to determine which user account is associated with the suspicious activity +- Analyze the `source.ip` field to identify the IP addresses from which the different operating systems were reported. Look for any unusual or unexpected locations. +- Review the `user_agent.os.name` field to see the different operating systems reported for the +same dt_hash. This will help identify the nature of the anomaly. +- Check the `event.action` field to understand the context of the authentication events (e.g., MFA verification, standard authentication). +- Investigate the timeline of events to see when the different operating systems were reported for the same dt_hash. Look for patterns or sequences that may indicate malicious activity. +- Correlate this activity with other security events in your environment, such as failed login attempts, unusual access patterns, or alerts from endpoint security solutions. + +### False positive analysis +- Applications will tag the operating system as null when the device is not recognized as a managed device +- In environments where users frequently switch between managed and unmanaged devices, this may lead to false positives. + +### Response and remediation +- Immediately investigate the user account associated with the suspicious activity to determine if it has been compromised. +- If compromise is confirmed, reset the user's credentials and enforce multi-factor authentication (MFA) +- Revoke any active sessions associated with the compromised account to prevent further unauthorized access. +- Review and monitor the affected dt_hash for any further suspicious activity. +- Educate users about the importance of device security and the risks associated with device trust tokens. +- Implement additional monitoring for device trust tokens and consider using conditional access policies to restrict access based on device compliance status. +""" +risk_score = 73 +rule_id = "fb3ca230-af4e-11f0-900d-f661ea17fbcc" +severity = "high" +tags = [ + "Domain: Identity", + "Data Source: Okta", + "Data Source: Okta System Logs", + "Use Case: Threat Detection", + "Tactic: Credential Access", +] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +data_stream.dataset: "okta.system" and + okta.debug_context.debug_data.dt_hash: * and + okta.device.os_platform: * and + event.action: ("user.authentication.verify" or "user.authentication.auth_via_mfa") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "okta.debug_context.debug_data.dt_hash", + "user.email", + "source.ip", + "user_agent.os.name", + "event.action", +] + +[rule.threshold] +field = ["okta.debug_context.debug_data.dt_hash"] +value = 1 +[[rule.threshold.cardinality]] +field = "user_agent.os.name" +value = 2 + + From a2ee9a4797186df6f5e26b552b92712f190c517f Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 22 Oct 2025 10:38:04 -0400 Subject: [PATCH 2/8] updated query logic --- ...access_multiple_user_agent_os_authentication.toml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index fb179c70e47..8d8e09adaeb 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -66,9 +66,15 @@ type = "threshold" query = ''' data_stream.dataset: "okta.system" and - okta.debug_context.debug_data.dt_hash: * and - okta.device.os_platform: * and - event.action: ("user.authentication.verify" or "user.authentication.auth_via_mfa") + event.action: ( + "user.authentication.verify" or + "user.authentication.auth_via_mfa" + ) and + ( + okta.debug_context.debug_data.dt_hash: * and + not okta.debug_context.debug_data.dt_hash: "-" + ) and + user_agent.os.name: * ''' From 3e5ea32d0b0dd038a658793ec4b65211e08a114d Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Wed, 22 Oct 2025 10:40:18 -0400 Subject: [PATCH 3/8] Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml --- .../credential_access_multiple_user_agent_os_authentication.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index 8d8e09adaeb..1d2f68614b4 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -19,7 +19,6 @@ false_positives = [ ] from = "now-60m" index = ["logs-okta.system-*"] -interval = "5m" language = "kuery" name = "Okta Multiple OS Names Detected for a Single DT Hash" note = """## Triage and analysis From 0fe16e13e85835b01476e0d16b1a0efa8ffd8686 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 22 Oct 2025 10:45:11 -0400 Subject: [PATCH 4/8] fixed verbiage --- ...access_multiple_user_agent_os_authentication.toml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index 1d2f68614b4..20b5857a1bb 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -6,9 +6,9 @@ updated_date = "2025/10/22" [rule] author = ["Elastic"] description = """ -Identifies when a single Okta device trust hash (dt_hash) is associated with multiple operating system types. This is -highly anomalous because a device trust token is tied to a specific device and its operating system. This alert strongly -indicates that an attacker has stolen a device trust token and is using it to impersonate a legitimate user from a +Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is +highly anomalous because a device token token is tied to a specific device and its operating system. This alert strongly +indicates that an attacker has stolen a device token token and is using it to impersonate a legitimate user from a different machine. """ false_positives = [ @@ -25,7 +25,7 @@ note = """## Triage and analysis ### Investigating Okta Multiple OS Names Detected for a Single DT Hash -This rule detects when a single Okta device trust hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device trust token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device trust token and is using it to impersonate a legitimate user from a different machine. +This rule detects when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token token and is using it to impersonate a legitimate user from a different machine. ### Possible investigation steps - Review the `okta.debug_context.debug_data.dt_hash` field to identify the specific device @@ -47,8 +47,8 @@ same dt_hash. This will help identify the nature of the anomaly. - If compromise is confirmed, reset the user's credentials and enforce multi-factor authentication (MFA) - Revoke any active sessions associated with the compromised account to prevent further unauthorized access. - Review and monitor the affected dt_hash for any further suspicious activity. -- Educate users about the importance of device security and the risks associated with device trust tokens. -- Implement additional monitoring for device trust tokens and consider using conditional access policies to restrict access based on device compliance status. +- Educate users about the importance of device security and the risks associated with device token tokens. +- Implement additional monitoring for device token tokens and consider using conditional access policies to restrict access based on device compliance status. """ risk_score = 73 rule_id = "fb3ca230-af4e-11f0-900d-f661ea17fbcc" From dd93c6a3d2aebee7ab662b068621228f424da012 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 22 Oct 2025 14:10:28 -0400 Subject: [PATCH 5/8] updated query logic --- ...ccess_multiple_user_agent_os_authentication.toml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index 20b5857a1bb..fcd136e42f2 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -64,16 +64,13 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -data_stream.dataset: "okta.system" and - event.action: ( +data_stream.dataset: "okta.system" + and not okta.debug_context.debug_data.dt_hash: "-" + and user_agent.os.name: * + and event.action: ( "user.authentication.verify" or "user.authentication.auth_via_mfa" - ) and - ( - okta.debug_context.debug_data.dt_hash: * and - not okta.debug_context.debug_data.dt_hash: "-" - ) and - user_agent.os.name: * + ) ''' From 0c68ad82cdea4b93a5777b8b89214cc272bbd975 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:06:07 -0500 Subject: [PATCH 6/8] Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --- .../credential_access_multiple_user_agent_os_authentication.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index fcd136e42f2..b2aad70a3fe 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2025/10/22" +integration = ["okta"] maturity = "production" updated_date = "2025/10/22" From 9c02a138ab32eb8b742839c3d927cafb477a03c3 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:06:15 -0500 Subject: [PATCH 7/8] Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --- ...credential_access_multiple_user_agent_os_authentication.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index b2aad70a3fe..c2b8c904027 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -8,7 +8,7 @@ updated_date = "2025/10/22" author = ["Elastic"] description = """ Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is -highly anomalous because a device token token is tied to a specific device and its operating system. This alert strongly +highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token token and is using it to impersonate a legitimate user from a different machine. """ From ad577a95a8a4618f963d5610c95a089da7657096 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:06:21 -0500 Subject: [PATCH 8/8] Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --- ...credential_access_multiple_user_agent_os_authentication.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index c2b8c904027..f23c264f3ca 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -9,7 +9,7 @@ author = ["Elastic"] description = """ Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly -indicates that an attacker has stolen a device token token and is using it to impersonate a legitimate user from a +indicates that an attacker has stolen a device token and is using it to impersonate a legitimate user from a different machine. """ false_positives = [