First Occurrence of Okta User Session Started via Proxy
Identifies the first occurrence of an Okta user session started via a proxy.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/11/07"
3integration = ["okta"]
4maturity = "production"
5updated_date = "2026/02/20"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies the first occurrence of an Okta user session started via a proxy."
10index = ["filebeat-*", "logs-okta.system-*"]
11language = "kuery"
12license = "Elastic License v2"
13name = "First Occurrence of Okta User Session Started via Proxy"
14note = """## Triage and analysis
15
16### Investigating First Occurrence of Okta User Session Started via Proxy
17
18This rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.
19
20#### Possible investigation steps:
21- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
22- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
23- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.
24- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.
25- Review the past activities of the actor involved in this action by checking their previous actions.
26- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.
27
28### False positive analysis:
29- A user may have legitimately started a session via a proxy for security or privacy reasons.
30
31### Response and remediation:
32- Review the profile of the user involved in this action to determine if proxy usage may be expected.
33- If the user is legitimate and the authentication behavior is not suspicious, no action is required.
34- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).
35 - If MFA is already enabled, consider resetting MFA for the user.
36- If the user is not legitimate, consider deactivating the user's account.
37- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
38"""
39references = [
40 "https://developer.okta.com/docs/reference/api/system-log/",
41 "https://developer.okta.com/docs/reference/api/event-types/",
42 "https://developer.okta.com/docs/reference/api/system-log/#issuer-object",
43 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
44 "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
45 "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
46 "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
47 "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft"
48]
49risk_score = 47
50rule_id = "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd"
51severity = "medium"
52tags = [
53 "Domain: Identity",
54 "Tactic: Initial Access",
55 "Use Case: Identity and Access Audit",
56 "Data Source: Okta",
57 "Data Source: Okta System Logs",
58 "Resources: Investigation Guide",
59]
60timestamp_override = "event.ingested"
61type = "new_terms"
62
63query = '''
64event.dataset:okta.system and
65 okta.event_type: (
66 user.session.start or
67 user.authentication.verify or
68 user.authentication.sso or
69 user.authentication.auth_via_mfa
70 ) and
71 okta.security_context.is_proxy:true and
72 not okta.actor.id: okta*
73'''
74
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1133"
80name = "External Remote Services"
81reference = "https://attack.mitre.org/techniques/T1133/"
82
83
84[rule.threat.tactic]
85id = "TA0001"
86name = "Initial Access"
87reference = "https://attack.mitre.org/tactics/TA0001/"
88
89[rule.new_terms]
90field = "new_terms_fields"
91value = ["okta.actor.id", "cloud.account.id"]
92[[rule.new_terms.history_window_start]]
93field = "history_window_start"
94value = "now-7d"
Triage and analysis
Investigating First Occurrence of Okta User Session Started via Proxy
This rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the okta.actor.id value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.
Possible investigation steps:
- Identify the user involved in this action by examining the
okta.actor.id,okta.actor.type,okta.actor.alternate_id, andokta.actor.display_namefields. - Determine the client used by the actor. Review the
okta.client.ip,okta.client.user_agent.raw_user_agent,okta.client.zone,okta.client.device, andokta.client.idfields. - Examine the
okta.debug_context.debug_data.flattenedfield for more information about the proxy used. - Review the
okta.request.ip_chainfield for more information about the geographic location of the proxy. - Review the past activities of the actor involved in this action by checking their previous actions.
- Evaluate the actions that happened just before and after this event in the
okta.event_typefield to help understand the full context of the activity.
False positive analysis:
- A user may have legitimately started a session via a proxy for security or privacy reasons.
Response and remediation:
- Review the profile of the user involved in this action to determine if proxy usage may be expected.
- If the user is legitimate and the authentication behavior is not suspicious, no action is required.
- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).
- If MFA is already enabled, consider resetting MFA for the user.
- If the user is not legitimate, consider deactivating the user's account.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
References
-
-
Testing your Okta visibility and detection with Dorothy and Elastic Security — Elastic Security Labs
Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.
Read More -
SummaryOkta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Orga
Read More -
This article guides readers through establishing an Okta threat detection lab, emphasizing the importance of securing SaaS platforms like Okta. It details creating a lab environment with the Elastic Stack, integrating SIEM solutions, and Okta.
Read More -
This article delves into Okta's architecture and services, laying a solid foundation for threat research and detection engineering. Essential reading for those aiming to master threat hunting and detection in Okta environments.
Read More -
ShinyHunters-branded operations are using sophisticated vishing and victim-branded sites to steal data from cloud-based SaaS applications.
Read More
Related rules
- Okta Alerts Following Unusual Proxy Authentication
- Okta Successful Login After Credential Attack
- Potential Okta Brute Force (Multi-Source)
- Potential Okta Credential Stuffing (Single Source)
- Potential Okta Password Spray (Multi-Source)