:warning: THIS IS A EXPERIMENTAL DETECTION

This detection has been marked experimental by the Splunk Threat Research team. This means we have not been able to test, simulate, or build datasets for this detection. Use at your own risk. This analytic is NOT supported.

Try in Splunk Security Cloud

Description

The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie. \

  • Retrieves policy evaluation events from successful authentication events. \
  • Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window. \

  • Evaluates whether there is more than one IP and whether there is more than one OS or browser for each combination of User/Device Token.

  • Type: Hunting

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2023-03-17
  • Author: Scott Dermott and Felicity Robson, Okta, Michael Haag, Splunk
  • ID: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959e

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1539 Steal Web Session Cookie Credential Access
Kill Chain Phase
  • Exploitation
NIST
  • DE.AE
CIS20
  • CIS 10
CVE 


1
2
3
4



`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) 
| stats earliest(_time) as _time values(client.ipAddress) as src_ip values(client.userAgent.rawUserAgent) as user_agent values(client.userAgent.os) as userAgentOS_list values(client.geographicalContext.city) as city values(client.userAgent.browser) as userAgentBrowser_list values(device.os_platform) as okta_device_os dc(client.userAgent.browser) as dc_userAgentBrowser dc(client.userAgent.os) as dc_userAgentOS dc(client.ipAddress) as dc_src_ip values(outcome.reason) as reason by debugContext.debugData.dtHash actor.alternateId 
| where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) 
| `okta_suspicious_use_of_a_session_cookie_filter`

Macros

The SPL above uses the following Macros:

:information_source: okta_suspicious_use_of_a_session_cookie_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • client.ipAddress
  • client.userAgent.rawUserAgent
  • client.userAgent.os
  • client.geographicalContext.city
  • client.userAgent.browser
  • device.os_platform
  • debugContext.debugData.dtHash
  • actor.alternateId

How To Implement

This analytic is specific to Okta and requires Okta:im2 logs to be ingested.

Known False Positives

False positives may be present based on organization size and configuration of Okta.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
56.0 80 70 A suspicious use of a session cookie was identified by user $actor.alternateId$.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1