Successful Okta user session created from different locations in a short period
Description
AlphaSOC detected that an Okta user session was created. This indicates a user successfully authenticated to Okta and established a new session using valid credentials. This detection serves as a baseline for monitoring authentication activity within your Okta environment.
Impact
Unauthorized session creation could allow adversaries to access applications and services integrated with Okta, potentially leading to data access, lateral movement across connected systems, or privilege escalation if the compromised account has administrative privileges.
Severity
| Severity | Condition |
|---|---|
Informational | Okta user session created |
Informational | Okta user session created from different locations in a short period |
Low | Okta user session created from a new country |
Low | Unexpected Okta user session created |
Medium | Suspicious Okta user session created |
Investigation and Remediation
Review the session creation event in Okta System Log to verify the source IP address, geolocation, device fingerprint, and authentication method used. Compare with the user's typical access patterns and verify if multi-factor authentication was used. If the session appears suspicious, take immediate action by terminating the active session, resetting credentials for the affected user, and conducting a thorough investigation for additional indicators of compromise in your environment.