From ca98aa87622edb40ea4d4c076a0e533dc300a6e4 Mon Sep 17 00:00:00 2001 From: Evan Gibler Date: Thu, 8 Feb 2024 17:23:45 -0600 Subject: [PATCH] [sync] updated severity to match eventtype (#71) (#1093) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --- rules/okta_rules/okta_rate_limits.py | 11 ++++++++++- rules/okta_rules/okta_rate_limits.yml | 4 ++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/rules/okta_rules/okta_rate_limits.py b/rules/okta_rules/okta_rate_limits.py index 8b0fdba92..6bf24e0f9 100644 --- a/rules/okta_rules/okta_rate_limits.py +++ b/rules/okta_rules/okta_rate_limits.py @@ -5,9 +5,11 @@ DETECTION_EVENTS = [ "app.oauth2.client_id_rate_limit_warning", "application.integration.rate_limit_exceeded", - "system.client.concurrency_rate_limit.notification", + "system.client.rate_limit.*", + "system.client.concurrency_rate_limit.*", "system.operation.rate_limit.*", "system.org.rate_limit.*", + "core.concurrency.org.limit.violation", ] @@ -29,6 +31,13 @@ def title(event): def severity(event): if event.get("severity", "") == "INFO": return "INFO" + eventtype = event.get("eventtype", "") + if "notification" in eventtype: + return "LOW" + if "warning" in eventtype: + return "MEDIUM" + if "violation" in eventtype: + return "HIGH" return "DEFAULT" diff --git a/rules/okta_rules/okta_rate_limits.yml b/rules/okta_rules/okta_rate_limits.yml index cdec0e51e..f7b5f3047 100644 --- a/rules/okta_rules/okta_rate_limits.yml +++ b/rules/okta_rules/okta_rate_limits.yml @@ -13,7 +13,7 @@ Reports: MITRE ATT&CK: - TA0006:T1110 - TA0040:T1498 -Reference: https://help.okta.com/en-us/content/topics/security/api-rate-limits.htm +Reference: https://developer.okta.com/docs/reference/rl-system-log-events/ Tests: - ExpectedResult: true Log: @@ -236,7 +236,7 @@ Tests: uuid: aa-11-22-33-44-bb version: "0" Name: Non event -DedupPeriodMinutes: 60 +DedupPeriodMinutes: 360 # 6 hours LogTypes: - Okta.SystemLog RuleID: "Okta.Rate.Limits"