The SIEM app is now a part of the Elastic Security solution. Click here to view SIEM documentation for previous releases.

« Persistence via Kernel Module Modification Potential Application Shimming via Sdbinst »

› › ›

Possible Okta DoS Attack

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Possible Okta DoS Attack

edit

An adversary may attempt to disrupt an organization’s business operations by performing a denial of service (DoS) attack against its Okta infrastructure.

Rule type: query

Rule indices:

filebeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Okta
SecOps
Monitoring
Continuous Monitoring

Version: 1

Added (Elastic Stack release): 7.9.0

Rule authors: Elastic

Rule license: Elastic License

Investigation guide

edit

The Okta Filebeat module must be enabled to use this rule.

Rule query

edit

event.module:okta and event.dataset:okta.system and
event.action:(application.integration.rate_limit_exceeded or
system.org.rate_limit.warning or system.org.rate_limit.violation or
core.concurrency.org.limit.violation)

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
Technique:
- Name: Network Denial of Service
- ID: T1498
- Reference URL: https://attack.mitre.org/techniques/T1498/

« Persistence via Kernel Module Modification Potential Application Shimming via Sdbinst »