Attempt to Deactivate an Okta Application
Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/06"
3integration = ["okta"]
4maturity = "production"
5updated_date = "2024/12/09"
6min_stack_version = "8.15.0"
7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta
13application in order to weaken an organization's security controls or disrupt their business operations.
14"""
15false_positives = [
16 """
17 Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are
18 regularly deactivated and the behavior is expected.
19 """,
20]
21index = ["filebeat-*", "logs-okta*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Attempt to Deactivate an Okta Application"
25note = """## Triage and analysis
26
27### Investigating Attempt to Deactivate an Okta Application
28
29This rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.
30
31#### Possible investigation steps:
32- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
33- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
34- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.
35- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.
36- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.
37- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.
38- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.
39- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.
40
41### False positive analysis:
42- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.
43- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.
44
45### Response and remediation:
46- If unauthorized deactivation attempts are confirmed, initiate the incident response process.
47- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.
48- Reset the user's password and enforce MFA re-enrollment, if applicable.
49- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
50- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.
51
52## Setup
53
54The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
55"""
56references = [
57 "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
58 "https://developer.okta.com/docs/reference/api/system-log/",
59 "https://developer.okta.com/docs/reference/api/event-types/",
60 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
61 "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
62 "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
63]
64risk_score = 21
65rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a"
66severity = "low"
67tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"]
68timestamp_override = "event.ingested"
69type = "query"
70
71query = '''
72event.dataset:okta.system and event.action:application.lifecycle.deactivate
73'''
74
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1489"
80name = "Service Stop"
81reference = "https://attack.mitre.org/techniques/T1489/"
82
83
84[rule.threat.tactic]
85id = "TA0040"
86name = "Impact"
87reference = "https://attack.mitre.org/tactics/TA0040/"
Triage and analysis
Investigating Attempt to Deactivate an Okta Application
This rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.
Possible investigation steps:
- Identify the actor associated with the deactivation attempt by examining the
okta.actor.id
,okta.actor.type
,okta.actor.alternate_id
, andokta.actor.display_name
fields. - Determine the client used by the actor. Review the
okta.client.ip
,okta.client.user_agent.raw_user_agent
,okta.client.zone
,okta.client.device
, andokta.client.id
fields. - If the client is a device, check the
okta.device.id
,okta.device.name
,okta.device.os_platform
,okta.device.os_version
, andokta.device.managed
fields. - Understand the context of the event from the
okta.debug_context.debug_data
andokta.authentication_context
fields. - Check the
okta.outcome.result
andokta.outcome.reason
fields to see if the attempt was successful or failed. - Review the past activities of the actor involved in this action by checking their previous actions logged in the
okta.target
field. - Analyze the
okta.transaction.id
andokta.transaction.type
fields to understand the context of the transaction. - Evaluate the actions that happened just before and after this event in the
okta.event_type
field to help understand the full context of the activity.
False positive analysis:
- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the
okta.outcome.result
field shows a failure. - An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.
Response and remediation:
- If unauthorized deactivation attempts are confirmed, initiate the incident response process.
- Block the IP address or device used in the attempts if they appear suspicious, using the data from the
okta.client.ip
andokta.device.id
fields. - Reset the user's password and enforce MFA re-enrollment, if applicable.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Attempt to Delete an Okta Application
- Attempt to Modify an Okta Application
- Attempt to Revoke Okta API Token
- Possible Okta DoS Attack
- Administrator Privileges Assigned to an Okta Group