IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Possible FIN7 DGA Command and Control Behavior Potential Abuse of Repeated MFA Push Notifications »

› › ›

Possible Okta DoS Attack

edit

Possible Okta DoS Attack

edit

Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization’s business operations by performing a DoS attack against its Okta service.

Rule type: query

Rule indices:

filebeat-*
logs-okta*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact

Version: 105

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit

event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
Technique:
- Name: Network Denial of Service
- ID: T1498
- Reference URL: https://attack.mitre.org/techniques/T1498/
Technique:
- Name: Endpoint Denial of Service
- ID: T1499
- Reference URL: https://attack.mitre.org/techniques/T1499/

« Possible FIN7 DGA Command and Control Behavior Potential Abuse of Repeated MFA Push Notifications »