Okta rate limit tuning (#1329)

* updated okta rate limit rules * only alert on rate limit violations --------- Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
panther-labs · Aug 19, 2024 · 790b4e5 · 790b4e5
1 parent 98c4c4a
commit 790b4e5
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 21 deletions.
diff --git a/rules/okta_rules/okta_rate_limits.py b/rules/okta_rules/okta_rate_limits.py
@@ -16,29 +16,20 @@
 def rule(event):
     eventtype = event.get("eventtype", "")
     for detection_event in DETECTION_EVENTS:
-        if fnmatch(eventtype, detection_event):
+        if fnmatch(eventtype, detection_event) and "violation" in eventtype:
             return True
     return False
 
 
 def title(event):
     return (
         f"Okta Rate Limit Event: [{event.get('eventtype','')}] "
-        f"by [{event.get('actor', {}).get('alternateId', '<id-not-found>')}]"
+        f"by [{event.deep_get('actor', 'alternateId', default='<id-not-found>')}]"
     )
 
 
-def severity(event):
-    if event.get("severity", "") == "INFO":
-        return "INFO"
-    eventtype = event.get("eventtype", "")
-    if "notification" in eventtype:
-        return "LOW"
-    if "warning" in eventtype:
-        return "MEDIUM"
-    if "violation" in eventtype:
-        return "HIGH"
-    return "DEFAULT"
+def dedup(event):
+    return event.deep_get("actor", "alternateId", default="<id-not-found>")
 
 
 def alert_context(event):

diff --git a/rules/okta_rules/okta_rate_limits.yml b/rules/okta_rules/okta_rate_limits.yml
@@ -3,7 +3,7 @@ Description: Potential DoS/Bruteforce attack or hitting limits (system degradati
 DisplayName: "Okta Rate Limits"
 Enabled: true
 Filename: okta_rate_limits.py
-Severity: High
+Severity: Low
 Tags:
   - Credential Access
   - Brute Force
@@ -14,8 +14,13 @@ Reports:
     - TA0006:T1110
     - TA0040:T1498
 Reference: https://developer.okta.com/docs/reference/rl-system-log-events/
+DedupPeriodMinutes: 1440 # 24 hours
+LogTypes:
+  - Okta.SystemLog
+RuleID: "Okta.Rate.Limits"
+Threshold: 1
 Tests:
-  - ExpectedResult: true
+  - ExpectedResult: false
     Log:
       actor:
         alternateId: homer.simpson@duff.com
@@ -124,7 +129,7 @@ Tests:
       uuid: asdfdashh
       version: "0"
     Name: system.operation.ratelimit.violation
-  - ExpectedResult: true
+  - ExpectedResult: false
     Log:
       actor:
         alternateId: homer.simpson@duff.com
@@ -236,8 +241,3 @@ Tests:
       uuid: aa-11-22-33-44-bb
       version: "0"
     Name: Non event
-DedupPeriodMinutes: 360 # 6 hours
-LogTypes:
-  - Okta.SystemLog
-RuleID: "Okta.Rate.Limits"
-Threshold: 1