[Rule Tuning] Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy #4119
Labels
Comments
brokensound77
added
Rule: Tuning
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Link to Rule
https://github.com/elastic/detection-rules/blob/51859e57f3e55b0478056c3be6ee27ea9154a70a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml
Rule Tuning Type
(This should be a multi-select not single)
Description
There are several considerations for tuning this rule:
Removing the requirement to be behind a proxy
Basically remove:
and okta.security_context.is_proxy:true.Compare to similar internal variants:
5dd1a0f0-932d-4b9c-a061-d0043d49300c,0e157bf1-5c9b-4d42-ba0c-2aba0e897337Explore whether DT Hash is subject to change during auth workflow and after session is established
After discussing with @terrancedejesus, there is concern that the dt_hash may potential change unexpectedly, based on how it is used in the rules. Need to confirm and adjust as necessary
Example Data
No response
The text was updated successfully, but these errors were encountered: