Possible Okta DoS Attack
editPossible Okta DoS Attack
editDetects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization’s business operations by performing a DoS attack against its Okta service.
Rule type: query
Rule indices:
- filebeat-*
- logs-okta*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
- https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy
- https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security
- https://www.elastic.co/security-labs/starter-guide-to-understanding-okta
Tags:
- Use Case: Identity and Access Audit
- Data Source: Okta
- Tactic: Impact
Version: 409
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editSetup
editThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Rule query
editevent.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
-
Technique:
- Name: Network Denial of Service
- ID: T1498
- Reference URL: https://attack.mitre.org/techniques/T1498/
-
Technique:
- Name: Endpoint Denial of Service
- ID: T1499
- Reference URL: https://attack.mitre.org/techniques/T1499/