security testing or red team exercises using proxy infrastructure.

t1078
okta
elastic

Techniques

T1078

Sample rules

Okta Alerts Following Unusual Proxy Authentication

source: elastic
technicques:
- T1078

Description

Correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the same user. Attackers frequently use proxy infrastructure (VPNs, Tor, residential proxies) to mask their origin when using stolen credentials, and their post-authentication activity often triggers additional detection rules.

Detection logic

sequence by user.name with maxspan=30m
    [any where event.dataset == "okta.system" and
        kibana.alert.rule.rule_id == "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd"]
    [any where event.dataset == "okta.system" and
        kibana.alert.rule.rule_id != null and
        kibana.alert.severity != "low" and
        kibana.alert.rule.rule_id not in  (
            "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd",
            "af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b"
        )
    ]