event.dataset:okta.system
and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*
and okta.event_type:user.authentication* and okta.security_context.is_proxy:true
Install detection rules in Elastic Security
Detect Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).