Attempt to Delete an Okta Application
Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/06"
3integration = ["okta"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta
11application in order to weaken an organization's security controls or disrupt their business operations.
12"""
13false_positives = [
14 """
15 Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are
16 regularly deleted and the behavior is expected.
17 """,
18]
19index = ["filebeat-*", "logs-okta*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Attempt to Delete an Okta Application"
23note = """## Setup
24
25The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
26references = [
27 "https://developer.okta.com/docs/reference/api/system-log/",
28 "https://developer.okta.com/docs/reference/api/event-types/",
29 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
30 "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
31 "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
32]
33risk_score = 21
34rule_id = "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f"
35severity = "low"
36tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:okta.system and event.action:application.lifecycle.delete
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1489"
49name = "Service Stop"
50reference = "https://attack.mitre.org/techniques/T1489/"
51
52
53[rule.threat.tactic]
54id = "TA0040"
55name = "Impact"
56reference = "https://attack.mitre.org/tactics/TA0040/"
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Attempt to Deactivate an Okta Application
- Attempt to Modify an Okta Application
- Attempt to Revoke Okta API Token
- Possible Okta DoS Attack
- Administrator Privileges Assigned to an Okta Group