Potential Okta access limit breach

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2025-01-19
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Okta Audit Log

Detection Modules

Identity Threat Module

Detector Tags

Okta Audit Analytics

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A user surpassed Okta's rate limit, leading to an access limit violation. This could suggest a potential account takeover attempt.

Attacker's Goals

An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.

Investigative actions

  • Reach out to the user responsible for the alert to confirm the legitimacy of the activity.
  • Examine the user's actions preceding and following the activation of the alert.
  • Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise.
  • Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

Variations

A breach in access limits within Okta, accompanied by suspicious characteristics

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

The user exceeded the access threshold in Okta, triggering a violation alert.

Attacker's Goals

An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.

Investigative actions

  • Reach out to the user responsible for the alert to confirm the legitimacy of the activity.
  • Examine the user's actions preceding and following the activation of the alert.
  • Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise.
  • Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).