惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
D
Darknet – Hacking Tools, Hacker News & Cyber Security
量子位
博客园 - 叶小钗
AI
AI
T
Tor Project blog
Forbes - Security
Forbes - Security
W
WeLiveSecurity
博客园_首页
爱范儿
爱范儿
J
Java Code Geeks
B
Blog
G
GRAHAM CLULEY
aimingoo的专栏
aimingoo的专栏
Cloudbric
Cloudbric
C
CXSECURITY Database RSS Feed - CXSecurity.com
TaoSecurity Blog
TaoSecurity Blog
L
LINUX DO - 热门话题
阮一峰的网络日志
阮一峰的网络日志
有赞技术团队
有赞技术团队
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
云风的 BLOG
云风的 BLOG
Google DeepMind News
Google DeepMind News
H
Help Net Security
博客园 - 三生石上(FineUI控件)
C
Cisco Blogs
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recent Commits to openclaw:main
Recent Commits to openclaw:main
博客园 - 司徒正美
The Last Watchdog
The Last Watchdog
Blog — PlanetScale
Blog — PlanetScale
T
The Blog of Author Tim Ferriss
S
Secure Thoughts
Spread Privacy
Spread Privacy
F
Fortinet All Blogs
月光博客
月光博客
大猫的无限游戏
大猫的无限游戏
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
A
About on SuperTechFans
Security Latest
Security Latest
Webroot Blog
Webroot Blog
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
One trick finds the root of any Okta troubles
Dan Dennhardt and Vadim Spector and John Murphy and Dinko Bajric · 2025-03-03 · via Okta Security RSS Feed

Whether you’re troubleshooting a technical issue or performing a forensic investigation in your Okta Workforce Identity org, this article introduces a couple of new queries that can quickly get you to the root of the problem. 

They arise from the addition of two new key/value pairs in a large number of Okta System Log events, designed to help administrators, auditors and incident responders get their job done faster.

These helpful tricks are brought to you by the letters O, S, I and C. If you haven’t heard, this acronym stands for The Okta Secure Identity Commitment, which is Okta’s long-term initiative to lead the industry in the fight against Identity attacks.

All events using an API token

The first object to take note of is the RootApiTokenId. A RootApiTokenId will first appear as the target.id when you create an API token, irrespective of whether it’s a management API token or an OAuth token in Okta:

eventType eq "system.api_token.create" and target.id eq "[RootApiTokenId]"

From that point on, the same RootApiTokenId will be stamped in the transaction.detail.rootApiTokenId value of every logged event that arises from the use of that API token.

If that token were ever compromised, or causing you some other manner of trouble, you’re able to find all logged API actions performed using that token using a single query:

transaction.detail.rootApiTokenId eq "[insert RootApiTokenId value]"

One thing to note, however: Okta management API tokens, sometimes referred to as static or SSWS Tokens, are often long-lived. They expire if an administrator revokes or rotates them or they aren’t used for 30 days. A token created more than 90 days ago is outside the retention period of Okta System log events, in which case you’ll only find the token creation event if you have been streaming these events to your SIEM and archiving them there. You can otherwise find all active tokens listed in the Okta Admin Console under Security > API > Tokens.

We recommend eschewing static tokens for OAuth2.0 tokens in production applications, given the latter are short-lived, sender-constrained, and can operate independently of the account used to create them. If for any reason OAuth 2.0 is infeasible, static tokens should be created using a dedicated Custom Admin Role that is only granted the minimum permissions required for the integration to function, and use of the token should be allowlisted to a specific IP or IP range where Okta should expect API calls for this app to originate from.

All events during a user session

The second object of interest is the RootSessionId. 

Much the same logic applies as with our method of tracking the use of an API token, only now we’re applying the same method to an interactive user session. 

The RootSessionId will first appear as the authenticationContext.rootSessionId value when an interactive user successfully validates their identity at primary authentication:

eventType eq "user.session.start" and authenticationContext.rootSessionId eq "[RootSessionId]"

From that point on, the same RootSessionId will be stamped in the authenticationContext.rootSessionId value of every logged event during the user’s interactive session.

If you ever have cause to suspect that session was compromised, you’re able to find all user actions performed using that token using a single query:

authenticationContext.rootSessionId eq "[insert RootSessionId value]"

Wait, this sounds familiar

So what’s the difference between the externalSessionID and the RootSessionId?  It sort of sounds like they do the same thing, right? 

Well, almost the same thing. The distinction is that some user actions result in creation of a new externalSessionId. 

If a user performs some form of factor lifecycle event, for example, they will be challenged to verify their identity using an existing pre-enrolled factor. Once they successfully perform this action, they have effectively commenced a new session. That makes logical sense, but when you’re troubleshooting or in response mode and want to see the bigger picture, searching with only the externalSessionId can result in missed events. The RootSessionId value, by contrast, is added to every user action up until the session expires or the user signs out.

The only exceptions to that rule are system generated events (that is, actions taken by the Okta platform in response to user generated events, but not initiated by a user), or events sourced in or triggered by Okta Workflows, Okta Privileged Access, and Okta Access Requests, which have their own unique identifiers.

To catch any potential edge cases, we suggest that any analysis of session activity also includes a sweep of actions by the IP address or actor in question. The following query can be used to identify any actions that correspond to a given criteria, but without a rootSessionId value.

not(authenticationContext.rootSessionId pr) AND <your logic>

To find all events related to a particular user that didn’t have a rootSessionId value: 

not(authenticationContext.rootSessionId pr) and actor.alternateId eq "[username value]"

To find all actions related to a particular IP that didn’t have a rootSessionId value:

not(authenticationContext.rootSessionId pr) and client.IpAddress eq "[IP address value]"

To find all actions where the user was the subject (aka target) of an event:

not(authenticationContext.rootSessionId pr) and target.alternateId eq "[username value]"

Beyond the SOC 

The ability to query for all events related to an API token or all events related to a user session also opens up a lot of possibilities for automation.

We recommend revisiting your detection library and your Okta Workflows with these queries in mind: they will help to find some creative solutions to all sorts of problems.

Dan is a Group Product Manager, responsible for Okta's product data platform. Dan has spent the last 14 years in the enterprise software space in roles across both go-to-market and product management. He holds a bachelor's degree in electrical engineering from Case Western Reserve University.

Vadim has 15+ years of experience in web application development, with expertise in identity management and access control frameworks, application security, secure software development, and cryptography. Outside of work, Vadim enjoys biking, hiking, playing the guitar, reading, and solving mathematical puzzles.

John leads the EMEA node of Okta's Detection and Response Engineering team.

His team develops detections and supplementary automations to protect Okta from threat actors, which in turn inform our rotational response and threat hunting missions.

Dinko Bajric is a Software Architech on Okta's Engineering team. Over the past 15 years, Dinko has had experience in diverse areas, including backend engineering, UI/UX, security, telemetry and analytics, performance and reliability, and management. His broad range of expertise helps him approach challenges from different perspectives, aiming to deliver reliable and efficient outcomes. Outside of work, Dinko enjoys tinkering with home automation hardware and software, but when he wants a break from technology, he builds furniture.