Detectionlowtest

Okta Policy Modified or Deleted

Detects when an Okta policy is modified or deleted.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Sun Sep 12Updated Sun Oct 091667a172-ed4c-463c-9969-efd92195319aidentity

Log Source

Oktaokta

ProductOkta← raw: okta

Serviceokta← raw: okta

Detection Logic

detection:
    selection:
        eventtype:
            - policy.lifecycle.update
            - policy.lifecycle.delete
    condition: selection

False Positives

Okta Policies being modified or deleted may be performed by a system administrator.

Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

References

MITRE ATT&CK

Tactics

TA0040 · Impact

Rule Metadata

Rule ID

1667a172-ed4c-463c-9969-efd92195319a

Status

test

Level

low

Type

Detection

Created

Sun Sep 12

Modified

Sun Oct 09

Author

Austin Songer

Path

rules/identity/okta/okta_policy_modified_or_deleted.yml

Raw Tags

attack.impact

View on GitHub