Okta User Session Start Via An Anonymising Proxy Service

Apr 28, 2026 · attack.defense-impairment attack.t1685 ·

Detects when an Okta user session starts where the user is behind an anonymising proxy service.

Sigma rule (View on GitHub)

 1title: Okta User Session Start Via An Anonymising Proxy Service
 2id: bde30855-5c53-4c18-ae90-1ff79ebc9578
 3status: test
 4description: Detects when an Okta user session starts where the user is behind an anonymising proxy service.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 8author: kelnage
 9date: 2023-09-07
10modified: 2026-04-27
11tags:
12    - attack.defense-impairment
13    - attack.t1685
14logsource:
15    product: okta
16    service: okta
17detection:
18    selection:
19        eventType: 'user.session.start'
20        securityContext.isProxy: 'true'
21    condition: selection
22falsepositives:
23    - If a user requires an anonymising proxy due to valid justifications.
24level: high

References

System Log

Read More
Cross-Tenant Impersonation: Prevention and Detection

SummaryOkta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Orga

Read More

Okta User Session Start Via An Anonymising Proxy Service

Sigma rule (View on GitHub)

References

System Log

Cross-Tenant Impersonation: Prevention and Detection

Related rules