Techniques
Sample rules
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
- source: elastic
- technicques:
- T1110
Description
Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.
Detection logic
event.dataset:okta.system
and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*
and okta.event_type:user.authentication* and okta.security_context.is_proxy:true