Possible Okta DoS Attack

Elastic Stack Serverless Security

Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization’s business operations by performing a DoS attack against its Okta service.

Rule type: query

Rule indices:

• filebeat-*
• logs-okta*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

• https://developer.okta.com/docs/reference/api/system-log/
• https://developer.okta.com/docs/reference/api/event-types/
• https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy

Tags:

• Elastic
• Identity
• Okta
• Continuous Monitoring
• SecOps
• Monitoring

Version: 102

Rule authors:

• Elastic

Rule license: Elastic License v2

event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Impact
  • ID: TA0040
  • Reference URL: https://attack.mitre.org/tactics/TA0040/

• Technique:

  • Name: Network Denial of Service
  • ID: T1498
  • Reference URL: https://attack.mitre.org/techniques/T1498/

• Technique:

  • Name: Endpoint Denial of Service
  • ID: T1499
  • Reference URL: https://attack.mitre.org/techniques/T1499/