IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Possible Okta DoS Attack
editPossible Okta DoS Attack
editDetects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization’s business operations by performing a DoS attack against its Okta service.
Rule type: query
Rule indices:
- filebeat-*
- logs-okta*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Use Case: Identity and Access Audit
- Data Source: Okta
- Tactic: Impact
Version: 105
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editRule query
editevent.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
-
Technique:
- Name: Network Denial of Service
- ID: T1498
- Reference URL: https://attack.mitre.org/techniques/T1498/
-
Technique:
- Name: Endpoint Denial of Service
- ID: T1499
- Reference URL: https://attack.mitre.org/techniques/T1499/