(https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml)

Description

The absence of 'and event.outcome: "success"' can create a number of false positives as it would count failed logins (including wrong user name, be it typo, auto-fill, etc). Adding this will ensure the rule only triggers successful logins.

On the side, I question the need to have this to be narrowed to be specific to behind proxy only. In my environment, I want to see this action regardless of whether the host system is behind a proxy or not.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.