Okta Admin Functions Access Through Proxy
Detects access to Okta admin functions through proxy.
Sigma rule (View on GitHub)
1title: Okta Admin Functions Access Through Proxy
2id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
3status: experimental
4description: Detects access to Okta admin functions through proxy.
5references:
6 - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
7 - https://dataconomy.com/2023/10/23/okta-data-breach/
8 - https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
9author: Muhammad Faisal @faisalusuf
10date: 2023/10/25
11tags:
12 - attack.credential_access
13logsource:
14 service: okta
15 product: okta
16detection:
17 selection:
18 debugContext.debugData.requestUri|contains: 'admin'
19 securityContext.isProxy: 'true'
20 condition: selection
21falsepositives:
22 - False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
23level: medium
References
-
This blog shared details of the Okta support unit attack to educate other Okta users and infosec professionals. For BeyondTrust customers who leverage our…
Read More -
What happens when even the fortress's guardians face a breach? Let's take a closer look at the Okta data breach and find out!
Read More -
On Wednesday, October 18, 2023, we discovered attacks on our system that we were able to trace back to Okta. We have verified that no Cloudflare customer information or systems were impacted by this event because of our rapid response.
Read More
Related rules
- New Okta User Created
- Okta 2023 Breach Indicator Of Compromise
- Potential Okta Password in AlternateID Field
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
- GALLIUM Artefacts - Builtin