This detection rule identifies the first occurrence of an Okta user session initiated via a proxy. It is tailored to spot potentially suspicious authentication attempts that may signify an attacker's efforts to access an Okta account while concealing their identity. The rule employs a New Terms feature mechanism, examining occurrences of `okta.actor.id` over the previous week to ascertain if the user has previously engaged in similar proxy activities. Analytical stages include investigating the user involved, reviewing the client used, examining proxy-related debug data, and evaluating geographical data from the proxy's IP chain. There are considerations for false positives, as legitimate users may utilize proxies for security or privacy. In scenarios of suspicious behavior, it advises possible remediation actions such as resetting passwords, enabling or resetting multi-factor authentication, or, if the actor is determined illegitimate, deactivating the user’s account. This rule relies on data from the Okta Fleet integration or the related Filebeat module.