Summary
The detection rule identifies anomalous spikes in concurrent active user sessions, indicating potential unauthorized privileged access activities. The rule observes for unexpectedly high simultaneous sessions initiated by a user over a 15-minute interval. Such patterns may signify an attacker attempting to escalate privileges or maintain persistence using valid credentials across multiple systems. The detection leverages machine learning, tracking user behavior against established norms to flag significant deviations. Setup requires integration with Privileged Access Detection (PAD) and appropriate logging from Okta. The rule is designed to alert security teams to investigate potential privilege escalation threats actively.
Categories
- Network
- Endpoint
- Cloud
Data Sources
- User Account
- Logon Session
- Application Log
ATT&CK Techniques
- T1068
- T1078
Created: 2025-02-18