Detectionmediumtest

Okta Admin Functions Access Through Proxy

Detects access to Okta admin functions through proxy.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Muhammad FaisalCreated Wed Oct 259058ca8b-f397-4fd1-a9fa-2b7aad4d6309identity

Log Source

Oktaokta

ProductOkta← raw: okta

Serviceokta← raw: okta

Detection Logic

detection:
    selection:
        debugContext.debugData.requestUri|contains: 'admin'
        securityContext.isProxy: 'true'
    condition: selection

False Positives

False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Rule Metadata

Rule ID

9058ca8b-f397-4fd1-a9fa-2b7aad4d6309

Status

test

Level

medium

Type

Detection

Created

Wed Oct 25

Author

Muhammad Faisal

Path

rules/identity/okta/okta_admin_activity_from_proxy_query.yml

Raw Tags

attack.credential-access

View on GitHub