This detection rule identifies potential Denial of Service (DoS) attacks targeting an Okta organization, a critical identity management service. Attackers may attempt to disrupt operations by overwhelming Okta with excessive requests. The rule captures such attacks by monitoring specific system events that indicate violations of rate limits, which are set by Okta to ensure service availability. Investigators can perform a detailed analysis of triggered events signifying rate limit breaches, such as 'application.integration.rate_limit_exceeded' and 'system.org.rate_limit.violation'. To assess the impact of these events, security analysts should review request patterns, identify the sources of excessive requests, correlate logs with other services, and consider legitimate high-volume usage that may trigger false positives. In case of detection, measures such as IP blocking, rate limiting, and adjusting Okta's settings should be put in place. The rule is suitable for monitoring the health of Okta integrations and ensuring uninterrupted access management. The necessary setup involves integrating with the Okta Fleet or using the Filebeat module to collect compatible event data.