Okta User Session Start Via An Anonymising Proxy Service

Sep 11, 2023 · attack.defense_evasion attack.t1562.006 ·

Detects when an Okta user session starts where the user is behind an anonymising proxy service.

Sigma rule (View on GitHub)

 1title: Okta User Session Start Via An Anonymising Proxy Service
 2id: bde30855-5c53-4c18-ae90-1ff79ebc9578
 3status: experimental
 4description: Detects when an Okta user session starts where the user is behind an anonymising proxy service.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 8author: kelnage
 9date: 2023/09/07
10tags:
11    - attack.defense_evasion
12    - attack.t1562.006
13logsource:
14    product: okta
15    service: okta
16detection:
17    selection:
18        eventtype: 'user.session.start'
19        securitycontext.isproxy: 'true'
20    condition: selection
21falsepositives:
22    - If a user requires an anonymising proxy due to valid justifications.
23level: high

References

System Log | Okta Developer

Secure, scalable, and highly available authentication and user management for any app.

Read More
Cross-Tenant Impersonation: Prevention and Detection

Summary

Read More

Okta User Session Start Via An Anonymising Proxy Service

Sigma rule (View on GitHub)

References

System Log | Okta Developer

Cross-Tenant Impersonation: Prevention and Detection

Related rules