rules/cloud/okta/okta_admin_activity_from_proxy_query.yml

title: Okta Admin Functions Access Through Proxy
id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
status: test
description: Detects access to Okta admin functions through proxy.
references:
    - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
    - https://dataconomy.com/2023/10/23/okta-data-breach/
    - https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
author: Muhammad Faisal @faisalusuf
date: 2023-10-25
tags:
    - attack.credential-access
logsource:
    service: okta
    product: okta
detection:
    selection:
        debugContext.debugData.requestUri|contains: 'admin'
        securityContext.isProxy: 'true'
    condition: selection
falsepositives:
    - False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
level: medium
Merge PR #4509 from @faisalusuf - Add New Rules Related to Okta Breach 2023-10-28 14:50:04 +04:00			`title: Okta Admin Functions Access Through Proxy`
			`id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309`
Merge PR #4991 from @nasbench - Promote older rules status from `experimental` to `test` 2024-09-02 10:01:36 +02:00			`status: test`
Merge PR #4509 from @faisalusuf - Add New Rules Related to Okta Breach 2023-10-28 14:50:04 +04:00			`description: Detects access to Okta admin functions through proxy.`
			`references:`
			`- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach`
			`- https://dataconomy.com/2023/10/23/okta-data-breach/`
			`- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/`
			`author: Muhammad Faisal @faisalusuf`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2023-10-25`
Merge PR #4509 from @faisalusuf - Add New Rules Related to Okta Breach 2023-10-28 14:50:04 +04:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.credential-access`
Merge PR #4509 from @faisalusuf - Add New Rules Related to Okta Breach 2023-10-28 14:50:04 +04:00			`logsource:`
			`service: okta`
			`product: okta`
			`detection:`
			`selection:`
			`debugContext.debugData.requestUri\|contains: 'admin'`
			`securityContext.isProxy: 'true'`
			`condition: selection`
			`falsepositives:`
			`- False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary`
			`level: medium`