From 790b4e5768f78b1f88728c0b83d3b44548e772af Mon Sep 17 00:00:00 2001
From: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Date: Mon, 19 Aug 2024 11:31:10 -0600
Subject: [PATCH] Okta rate limit tuning (#1329)

* updated okta rate limit rules

* only alert on rate limit violations

---------

Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
---
 rules/okta_rules/okta_rate_limits.py  | 17 ++++-------------
 rules/okta_rules/okta_rate_limits.yml | 16 ++++++++--------
 2 files changed, 12 insertions(+), 21 deletions(-)

diff --git a/rules/okta_rules/okta_rate_limits.py b/rules/okta_rules/okta_rate_limits.py
index 6bf24e0f9..74e33730f 100644
--- a/rules/okta_rules/okta_rate_limits.py
+++ b/rules/okta_rules/okta_rate_limits.py
@@ -16,7 +16,7 @@
 def rule(event):
     eventtype = event.get("eventtype", "")
     for detection_event in DETECTION_EVENTS:
-        if fnmatch(eventtype, detection_event):
+        if fnmatch(eventtype, detection_event) and "violation" in eventtype:
             return True
     return False
 
@@ -24,21 +24,12 @@ def rule(event):
 def title(event):
     return (
         f"Okta Rate Limit Event: [{event.get('eventtype','')}] "
-        f"by [{event.get('actor', {}).get('alternateId', '<id-not-found>')}]"
+        f"by [{event.deep_get('actor', 'alternateId', default='<id-not-found>')}]"
     )
 
 
-def severity(event):
-    if event.get("severity", "") == "INFO":
-        return "INFO"
-    eventtype = event.get("eventtype", "")
-    if "notification" in eventtype:
-        return "LOW"
-    if "warning" in eventtype:
-        return "MEDIUM"
-    if "violation" in eventtype:
-        return "HIGH"
-    return "DEFAULT"
+def dedup(event):
+    return event.deep_get("actor", "alternateId", default="<id-not-found>")
 
 
 def alert_context(event):
diff --git a/rules/okta_rules/okta_rate_limits.yml b/rules/okta_rules/okta_rate_limits.yml
index d70a0a330..2936e2aad 100644
--- a/rules/okta_rules/okta_rate_limits.yml
+++ b/rules/okta_rules/okta_rate_limits.yml
@@ -3,7 +3,7 @@ Description: Potential DoS/Bruteforce attack or hitting limits (system degradati
 DisplayName: "Okta Rate Limits"
 Enabled: true
 Filename: okta_rate_limits.py
-Severity: High
+Severity: Low
 Tags:
   - Credential Access
   - Brute Force
@@ -14,8 +14,13 @@ Reports:
     - TA0006:T1110
     - TA0040:T1498
 Reference: https://developer.okta.com/docs/reference/rl-system-log-events/
+DedupPeriodMinutes: 1440 # 24 hours
+LogTypes:
+  - Okta.SystemLog
+RuleID: "Okta.Rate.Limits"
+Threshold: 1
 Tests:
-  - ExpectedResult: true
+  - ExpectedResult: false
     Log:
       actor:
         alternateId: homer.simpson@duff.com
@@ -124,7 +129,7 @@ Tests:
       uuid: asdfdashh
       version: "0"
     Name: system.operation.ratelimit.violation
-  - ExpectedResult: true
+  - ExpectedResult: false
     Log:
       actor:
         alternateId: homer.simpson@duff.com
@@ -236,8 +241,3 @@ Tests:
       uuid: aa-11-22-33-44-bb
       version: "0"
     Name: Non event
-DedupPeriodMinutes: 360 # 6 hours
-LogTypes:
-  - Okta.SystemLog
-RuleID: "Okta.Rate.Limits"
-Threshold: 1