Possible Okta DoS Attack

Last updated 5 days ago on 2024-09-23

Created 4 years ago on 2020-05-21

About

Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.

Tags

Use Case: Identity and Access AuditData Source: OktaTactic: Impact

Severity

medium

Risk Score

MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

↳ Network Denial of Service (T1498)(opens in a new tab or window)

↳ Endpoint Denial of Service (T1499)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-okta*
Related Integrations: okta(opens in a new tab or window)
Query

event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)

Install detection rules in Elastic Security

Detect Possible Okta DoS Attack in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).