LoFP / false positives are expected if administrators access these function through proxy legitimatly. apply additional filters if necessary

Techniques

Sample rules

Okta Admin Functions Access Through Proxy

• source: sigma
• technicques:

Description

Detects access to Okta admin functions through proxy.

Detection logic

condition: selection
selection:
  debugContext.debugData.requestUri|contains: admin
  securityContext.isProxy: 'true'