Okta Admin Functions Access Through Proxy
Detects access to Okta admin functions through proxy.
Sigma rule (View on GitHub)
1title: Okta Admin Functions Access Through Proxy
2id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
3status: test
4description: Detects access to Okta admin functions through proxy.
5references:
6 - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
7 - https://dataconomy.com/2023/10/23/okta-data-breach/
8 - https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
9author: Muhammad Faisal @faisalusuf
10date: 2023-10-25
11tags:
12 - attack.credential-access
13logsource:
14 service: okta
15 product: okta
16detection:
17 selection:
18 debugContext.debugData.requestUri|contains: 'admin'
19 securityContext.isProxy: 'true'
20 condition: selection
21falsepositives:
22 - False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
23level: medium
References
-
Pardon Our Interruption As you were browsing something about your browser made us think you were a bot. There are a few reasons this might happen: You're a power user moving through this website wi...
Read More -
What happens when even the fortress's guardians face a breach? Let's take a closer look at the Okta data breach
Read More -
On Wednesday, October 18, 2023, we discovered attacks on our system that we were able to trace back to Okta. We have verified that no Cloudflare customer information or systems were impacted by this event because of our rapid response.
Read More
Related rules
- Kerberoasting Activity - Initial Query
- LSASS Process Memory Dump Creation Via Taskmgr.EXE
- New Okta User Created
- Okta 2023 Breach Indicator Of Compromise
- Potential Okta Password in AlternateID Field