Okta Alerts Following Unusual Proxy Authentication

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Okta Alerts Following Unusual Proxy Authentication

Correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the same user. Attackers frequently use proxy infrastructure (VPNs, Tor, residential proxies) to mask their origin when using stolen credentials, and their post-authentication activity often triggers additional detection rules.

Rule type: eql

Rule indices:

.alerts-security.*

Severity: high

Risk score: 73

Runs every: 30m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Identity
Domain: Cloud
Use Case: Identity and Access Audit
Use Case: Threat Detection
Data Source: Okta
Data Source: Okta System Logs
Tactic: Initial Access
Rule Type: Higher-Order Rule
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Okta Alerts Following Unusual Proxy Authentication

This rule correlates the first occurrences of authentication behind a proxy followed by an alert with subsequent Okta security alerts for the same user. Attackers frequently use proxy infrastructure (VPNs, Tor, residential proxies) to mask their origin when using stolen credentials, and their post-authentication activity often triggers additional detection rules.

By correlating the proxy alert with other Okta alerts using an EQL sequence, this rule identifies users whose proxy-based authentication was followed by suspicious activity within a 1-hour window.

Possible investigation steps

Identify the affected user and review the correlated security alerts to understand what suspicious activity was detected after the proxy authentication.
Examine the proxy source IP addresses and cross-reference with threat intelligence feeds for known malicious infrastructure.
Review the time gap between the proxy authentication and subsequent alert generation.
Review the user’s recent Okta activity for signs of account takeover (MFA changes, new devices, unusual app access).
Verify with the user whether they intentionally used a proxy or VPN during this session.

False positive analysis

Users who legitimately use VPN services for privacy or remote work may trigger this rule if they also trigger unrelated alerts.
Security testing or red team exercises using proxy infrastructure combined with testing that triggers alerts.
Corporate VPN egress points that Okta classifies as proxy infrastructure.

Response and remediation

If account compromise is suspected, immediately revoke all active sessions for the user.
Reset the user’s password and MFA factors.
Review and revoke any OAuth tokens or API keys associated with the account.
Block the source proxy IP at the network perimeter if confirmed malicious.
Review the user’s access to sensitive applications and data during the suspicious session.

Rule query

edit

sequence by user.name with maxspan=30m
    [any where event.dataset == "okta.system" and
        kibana.alert.rule.rule_id == "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd"]
    [any where event.dataset == "okta.system" and
        kibana.alert.rule.rule_id != null and
        kibana.alert.severity != "low" and
        kibana.alert.rule.rule_id not in  (
            "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd",
            "af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b"
        )
    ]

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/

« M365 SharePoint Search for Sensitive Content First Time Seen DNS Query to RMM Domain »