Detectionhightest
Okta User Session Start Via An Anonymising Proxy Service
Detects when an Okta user session starts where the user is behind an anonymising proxy service.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Oktaokta
ProductOkta← raw: okta
Serviceokta← raw: okta
Detection Logic
Detection Logic1 selector
detection:
selection:
eventtype: 'user.session.start'
securitycontext.isproxy: 'true'
condition: selectionFalse Positives
If a user requires an anonymising proxy due to valid justifications.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
bde30855-5c53-4c18-ae90-1ff79ebc9578
Status
test
Level
high
Type
Detection
Created
Thu Sep 07
Author
Path
rules/identity/okta/okta_user_session_start_via_anonymised_proxy.yml
Raw Tags
attack.defense-evasionattack.t1562.006