[Rule Tuning] Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy

[brokensound77]

Link to Rule

https://github.com/elastic/detection-rules/blob/51859e57f3e55b0478056c3be6ee27ea9154a70a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml

Rule Tuning Type

(This should be a multi-select not single)

Description

There are several considerations for tuning this rule:

Removing the requirement to be behind a proxy

Basically remove: and okta.security_context.is_proxy:true.

Compare to similar internal variants: 5dd1a0f0-932d-4b9c-a061-d0043d49300c, 0e157bf1-5c9b-4d42-ba0c-2aba0e897337

Explore whether DT Hash is subject to change during auth workflow and after session is established

After discussing with @terrancedejesus, there is concern that the dt_hash may potential change unexpectedly, based on how it is used in the rules. Need to confirm and adjust as necessary

Example Data

No response

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.