The Okta Session Analyzer allows security teams to analyze Okta event logs for security insights.
As part of our ongoing commitment to security, we've rolled out the following features to enhance the detection capabilities of the Okta Session Analyzer:
-
High-Frequency Push MFA Requests Detection: Tracks the occurrence of multiple MFA push requests and failures within a user's session. This pattern can be indicative of bypassing security mechanisms. The threshold for "high frequency" is configurable in the tool settings.
-
Delegate IDP Configuration Change Alert: Monitors and alerts on any changes to delegate identity providers configurations within an Okta instance. Essential for maintaining the integrity of your IDP configurations.
-
Multiple User-Agents Detection: Flags sessions that show activity from multiple user-agents, potentially indicating cookie hijacking incidents.
-
Fast-Travel Activity Analysis: Implements checks for geographically improbable travel activity within sessions, which could be indicative of compromised account credentials.
-
Unauthorized Application Access Attempts Monitoring: Identifies and alerts on repeated attempts to access unauthorized applications, signaling potential malicious intent or compromised accounts.
pip install pandas
python okta_session_analyzer.py <okta_events.csv>
Before using the Okta Session Analyzer, ensure that you have Python installed on your system. This tool is compatible with Python 3.x.
-
Log in to your Okta Console: Access your Okta admin console by navigating to your Okta domain (e.g.,
yourcompany.okta.com
). -
Access the System Log:
- Navigate to Reports on the dashboard.
- Select System Log from the drop-down menu.
-
Select a Date Range (Optional):
- To filter the logs for a specific period, select a date range at the top of the System Log page.
-
Download the Logs:
- Click on the Download CSV button to download the event logs.
- Save the CSV file to a known location on your system.
After downloading the CSV file with your Okta event logs, you are ready to use the analyzer tool.
-
Open a Terminal or Command Prompt:
- Navigate to the folder where you saved the Okta Session Analyzer script (
okta_session_analyzer.py
).
- Navigate to the folder where you saved the Okta Session Analyzer script (
-
Install Dependencies
- Install the pandas dependency:
pip install pandas
- Install the pandas dependency:
-
Run the Tool:
- Execute the tool by typing the following command and replacing
syslog_query.csv
with the path to your downloaded CSV file:python okta_session_analyzer.py syslog_query.csv
- Press
Enter
to run the script.
- Execute the tool by typing the following command and replacing
-
Review the Analysis:
- The tool will process the event logs and output the analysis to your terminal or command prompt.
- Review the output for any security insights or alerts. The output from the Session Analyzer will provide a list of session IDs that can be further queried from Okta's System Log. An example of query would be
authenticationContext.externalSessionId eq "zqxNPAJAK5J25SystR3iydyTg"
oruuid eq "87dcd170-78db-11ee-9797-c718a50aa4d3"
The Okta Session Analyzer offers various configuration options to tailor the analysis to your specific needs. Refer to the python okta_session_analyzer.py --help
command for detailed information on setting analysis thresholds and customizing alert conditions.
The program will print the id of any risky sessions or individual events.
python3 okta_session_analyzer.py ~/Downloads/syslog_query.csv
Session ID: 102nHkMDaxYQoSItefBBK3v9g has indicators of high frequency MFA push requests, there were 4 push requests with 3 denials
Session ID: 102miLvqdoNR4y-4qgTOra9Fg has indicators of high frequency MFA push requests, there were 16 push requests with 15 denials
Session ID: 102ej5bUZ0rZ6Wnr3B-3p-42w has multiple user agents: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36, Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1
Session ID: 102ej5bUZ0rZ6Wnr3B-3p-42w has multiple IP addresses: 38.140.114.162, 98.116.139.99
Session ID: 102bDLRVMytnw2EUPvDwYg6oA Fast travel detected between events 20a6f947-663a-11ee-a07d-db746d32f4e2 and 39d28697-66eb-11ee-b476-011fba50955a: Distance: 2046.96 km Speed: 237.98 km/h
Session ID: 102dEB6m5ItQPKEaPHHO0Oilw Fast travel detected between events 3db79a8d-603a-11ee-96af-b3cd3e15c958 and 4eeef121-60c5-11ee-96af-b3cd3e15c958: Distance: 3867.28 km Speed: 1469.05 km/h
For any issues or questions regarding the use of the Okta Session Analyzer, please open an issue on the repository or contact our support team at [email protected]
.
Thank you for using the Okta Session Analyzer to secure your Okta environment.