There are several considerations for tuning this rule:
Removing the requirement to be behind a proxy
Basically remove: and okta.security_context.is_proxy:true.
Compare to similar internal variants: 5dd1a0f0-932d-4b9c-a061-d0043d49300c, 0e157bf1-5c9b-4d42-ba0c-2aba0e897337
Explore whether DT Hash is subject to change during auth workflow and after session is established
After discussing with @terrancedejesus, there is concern that the dt_hash may potential change unexpectedly, based on how it is used in the rules. Need to confirm and adjust as necessary
Link to Rule
https://github.com/elastic/detection-rules/blob/51859e57f3e55b0478056c3be6ee27ea9154a70a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml
Rule Tuning Type
(This should be a multi-select not single)
Description
There are several considerations for tuning this rule:
Removing the requirement to be behind a proxy
Basically remove:
and okta.security_context.is_proxy:true
.Compare to similar internal variants:
5dd1a0f0-932d-4b9c-a061-d0043d49300c
,0e157bf1-5c9b-4d42-ba0c-2aba0e897337
Explore whether DT Hash is subject to change during auth workflow and after session is established
After discussing with @terrancedejesus, there is concern that the dt_hash may potential change unexpectedly, based on how it is used in the rules. Need to confirm and adjust as necessary
Example Data
No response