Okta Admin Functions Access Through Proxy

Detects access to Okta admin functions through proxy.

Sigma rule (View on GitHub)

 1title: Okta Admin Functions Access Through Proxy
 2id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
 3status: test
 4description: Detects access to Okta admin functions through proxy.
 5references:
 6    - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
 7    - https://dataconomy.com/2023/10/23/okta-data-breach/
 8    - https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
 9author: Muhammad Faisal @faisalusuf
10date: 2023-10-25
11tags:
12    - attack.credential-access
13logsource:
14    service: okta
15    product: okta
16detection:
17    selection:
18        debugContext.debugData.requestUri|contains: 'admin'
19        securityContext.isProxy: 'true'
20    condition: selection
21falsepositives:
22    - False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
23level: medium

References

Related rules

to-top