[New Rule] Okta User Authentication via Proxy Followed by Security Alert

[terrancedejesus]

Summary

Create a higher-order correlation rule that identifies Okta user authentication from an anonymizing proxy followed by subsequent security alerts for the same user within a 1-hour window.

Motivation

This rule addresses TTPs observed in the ShinyHunters SaaS data theft campaign tracked by Mandiant/GTIG. Threat actors frequently use proxy infrastructure (VPNs, Tor, residential proxies) to mask their origin when authenticating with stolen credentials obtained via vishing. Their post-authentication activity often triggers additional detection rules.

By correlating proxy-based authentication with subsequent alerts, we can identify potential account compromise with higher confidence than either signal alone.

Detection Logic

1. Query both logs-okta.system-* and .alerts-security.* indices
2. Identify Okta authentication events where okta.security_context.is_proxy == true
3. Identify security alerts (excluding the "First Occurrence of Okta User Session Started via Proxy" rule to avoid self-correlation)
4. Aggregate by user.name
5. Require proxy authentication before alert generation
6. Require alert within 60 minutes of proxy authentication

Dependencies

• Okta Fleet integration or Filebeat module
• Okta SIEM rules enabled to generate security alerts
• "First Occurrence of Okta User Session Started via Proxy" rule (6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd) recommended for baseline detection

References

• https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
• https://developer.okta.com/docs/reference/api/system-log/
• https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security