Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
Okta Audit Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user surpassed Okta's rate limit, leading to an access limit violation. This could suggest a potential account takeover attempt.
Attacker's Goals
An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.
Investigative actions
- Reach out to the user responsible for the alert to confirm the legitimacy of the activity.
- Examine the user's actions preceding and following the activation of the alert.
- Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise.
- Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).