Elastic Security Detection Rules

Okta Alerts Following Unusual Proxy Authentication

Last updated 7 days ago on 2026-02-20
Created 7 days ago on 2026-02-20

About

Correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the same user. Attackers frequently use proxy infrastructure (VPNs, Tor, residential proxies) to mask their origin when using stolen credentials, and their post-authentication activity often triggers additional detection rules.
Tags
Domain: IdentityDomain: CloudUse Case: Identity and Access AuditUse Case: Threat DetectionData Source: OktaData Source: Okta System LogsTactic: Initial AccessRule Type: Higher-Order RuleLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

False Positive Examples
Legitimate users who routinely use VPN or proxy services for privacy may trigger this if they also trigger unrelated security alerts. Security testing or red team exercises using proxy infrastructure.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
.alerts-security.*
Related Integrations

okta(external, opens in a new tab or window)

Query
text code block:
sequence by user.name with maxspan=30m
    [any where event.dataset == "okta.system" and
        kibana.alert.rule.rule_id == "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd"]
    [any where event.dataset == "okta.system" and
        kibana.alert.rule.rule_id != null and
        kibana.alert.severity != "low" and
        kibana.alert.rule.rule_id not in  (
            "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd",
            "af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b"
        )
    ]

Install detection rules in Elastic Security

Detect Okta Alerts Following Unusual Proxy Authentication in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).