[sync] updated severity to match eventtype (#71) (#1093)

Co-authored-by: Ariel Ropek <[email protected]>
panther-labs · Feb 8, 2024 · ca98aa8 · ca98aa8
1 parent e1ffd79
commit ca98aa8
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/rules/okta_rules/okta_rate_limits.py b/rules/okta_rules/okta_rate_limits.py
@@ -5,9 +5,11 @@
 DETECTION_EVENTS = [
     "app.oauth2.client_id_rate_limit_warning",
     "application.integration.rate_limit_exceeded",
-    "system.client.concurrency_rate_limit.notification",
+    "system.client.rate_limit.*",
+    "system.client.concurrency_rate_limit.*",
     "system.operation.rate_limit.*",
     "system.org.rate_limit.*",
+    "core.concurrency.org.limit.violation",
 ]
 
 
@@ -29,6 +31,13 @@ def title(event):
 def severity(event):
     if event.get("severity", "") == "INFO":
         return "INFO"
+    eventtype = event.get("eventtype", "")
+    if "notification" in eventtype:
+        return "LOW"
+    if "warning" in eventtype:
+        return "MEDIUM"
+    if "violation" in eventtype:
+        return "HIGH"
     return "DEFAULT"
 
 

diff --git a/rules/okta_rules/okta_rate_limits.yml b/rules/okta_rules/okta_rate_limits.yml
@@ -13,7 +13,7 @@ Reports:
   MITRE ATT&CK:
     - TA0006:T1110
     - TA0040:T1498
-Reference: https://help.okta.com/en-us/content/topics/security/api-rate-limits.htm
+Reference: https://developer.okta.com/docs/reference/rl-system-log-events/
 Tests:
     - ExpectedResult: true
       Log:
@@ -236,7 +236,7 @@ Tests:
         uuid: aa-11-22-33-44-bb
         version: "0"
       Name: Non event
-DedupPeriodMinutes: 60
+DedupPeriodMinutes: 360 # 6 hours
 LogTypes:
     - Okta.SystemLog
 RuleID: "Okta.Rate.Limits"