Skip to main content

Successful Okta user session created from different locations in a short period

ID:okta_user_session_created_impossible_travel
Data type:Okta
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0001:T1078.004

Description

AlphaSOC detected that an Okta user session was created. This indicates a user successfully authenticated to Okta and established a new session using valid credentials. This detection serves as a baseline for monitoring authentication activity within your Okta environment.

Impact

Unauthorized session creation could allow adversaries to access applications and services integrated with Okta, potentially leading to data access, lateral movement across connected systems, or privilege escalation if the compromised account has administrative privileges.

Severity

SeverityCondition
Informational
Okta user session created
Informational
Okta user session created from different locations in a short period
Low
Okta user session created from a new country
Low
Unexpected Okta user session created
Medium
Suspicious Okta user session created

Investigation and Remediation

Review the session creation event in Okta System Log to verify the source IP address, geolocation, device fingerprint, and authentication method used. Compare with the user's typical access patterns and verify if multi-factor authentication was used. If the session appears suspicious, take immediate action by terminating the active session, resetting credentials for the affected user, and conducting a thorough investigation for additional indicators of compromise in your environment.