legitimate users who routinely use vpn or proxy services for privacy may trigger this if they also trigger unrelated security alerts.

t1078
okta
elastic

Techniques

T1078

Sample rules

Okta Alerts Following Unusual Proxy Authentication

source: elastic
technicques:
- T1078

Description

Correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the same user. Attackers frequently use proxy infrastructure (VPNs, Tor, residential proxies) to mask their origin when using stolen credentials, and their post-authentication activity often triggers additional detection rules.

Detection logic

sequence by user.name with maxspan=30m
    [any where event.dataset == "okta.system" and
        kibana.alert.rule.rule_id == "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd"]
    [any where event.dataset == "okta.system" and
        kibana.alert.rule.rule_id != null and
        kibana.alert.severity != "low" and
        kibana.alert.rule.rule_id not in  (
            "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd",
            "af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b"
        )
    ]