Okta User Session Start Via An Anonymising Proxy Service
Detects when an Okta user session starts where the user is behind an anonymising proxy service.
Sigma rule (View on GitHub)
1title: Okta User Session Start Via An Anonymising Proxy Service
2id: bde30855-5c53-4c18-ae90-1ff79ebc9578
3status: experimental
4description: Detects when an Okta user session starts where the user is behind an anonymising proxy service.
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
8author: kelnage
9date: 2023/09/07
10tags:
11 - attack.defense_evasion
12 - attack.t1562.006
13logsource:
14 product: okta
15 service: okta
16detection:
17 selection:
18 eventtype: 'user.session.start'
19 securitycontext.isproxy: 'true'
20 condition: selection
21falsepositives:
22 - If a user requires an anonymising proxy due to valid justifications.
23level: high
References
Related rules
- Disable of ETW Trace
- Disable of ETW Trace - Powershell
- Auditing Configuration Changes on Linux Host
- Logging Configuration Changes on Linux Host
- Fsutil Suspicious Invocation