Possible Okta DoS Attack

edit

An adversary may attempt to disrupt an organization’s business operations by performing a denial of service (DoS) attack against its Okta infrastructure.

Rule type: query

Rule indices:

  • filebeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Okta
  • SecOps
  • Monitoring
  • Continuous Monitoring

Version: 1

Added (Elastic Stack release): 7.9.0

Rule authors: Elastic

Rule license: Elastic License

Investigation guide

edit

The Okta Filebeat module must be enabled to use this rule.

Rule query

edit
event.module:okta and event.dataset:okta.system and
event.action:(application.integration.rate_limit_exceeded or
system.org.rate_limit.warning or system.org.rate_limit.violation or
core.concurrency.org.limit.violation)

Threat mapping

edit

Framework: MITRE ATT&CKTM