Suspicious app access

This detection is recorded when ITP detects an attacker's attempts to harvest app (service provider) session cookies.

Detection risk level: Medium

This is an indicator of a session hijacking attack. A common example is when a bad actor steals a user's Okta session cookie and uses it to rapidly access multiple apps. This is a high-priority investigation, even though the risk level is Medium. It implies an active, authenticated session.

Policy configuration

• Detection: Suspicious App Access
• Take this action: Run a Workflow to notify the SOC team to begin an investigation

Remediation strategy

1. Investigate: Look in the System Log for the app access events. Check to see if the IP address or user agent matches the user's other legitimate sessions.

2. Secure the account:

   • Go to the user's profile in the Admin Console.

   • Click Clear User Sessions to invalidate the stolen cookie and log out the attacker.

   • Contact the user to determine if their session may have been compromised (for example, malware on their device, phishing attack).

   • Scan the user's device for malware.