This detection rule focuses on identifying possible Adversary-in-the-Middle (AiTM) session cookie replay attacks targeting Okta. It detects scenarios where an Okta session is accessed from various IP addresses or through atypical user agents after the initial authentication has occurred. AiTM attacks typically involve capturing session cookies using phishing techniques with proxies like Evilginx, allowing attackers to replay these cookies and bypass multi-factor authentication (MFA) protections. The detection logic correlates events such as session starts with policy evaluations or SSO attempts originating from different IPs or unusual user-agent strings. The implementation uses an ESQL query to aggregate and assess session data, only activating alerts when specific anomalous conditions—like multiple IP addresses or suspicious user agents—are met. The rule includes a thorough investigation guide, outlining methods for analyzing alerts to confirm suspected incidents and providing directives for response and remediation but warns of potential false positives stemming from legitimate network changes.