Attempt to Delete an Okta Application

 1[metadata]
 2creation_date = "2020/11/06"
 3integration = ["okta"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6min_stack_version = "8.15.0"
 7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta
13application in order to weaken an organization's security controls or disrupt their business operations.
14"""
15false_positives = [
16    """
17    Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are
18    regularly deleted and the behavior is expected.
19    """,
20]
21index = ["filebeat-*", "logs-okta*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Attempt to Delete an Okta Application"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating Attempt to Delete an Okta Application
31
32Okta is a widely used identity management service that helps organizations manage user access to applications securely. Adversaries may target Okta applications to disrupt operations or weaken security by attempting deletions. The detection rule monitors system events for deletion actions, flagging potential threats with a low-risk score, aiding analysts in identifying and mitigating unauthorized attempts.
33
34### Possible investigation steps
35
36- Review the event logs for entries with event.dataset:okta.system and event.action:application.lifecycle.delete to confirm the attempted deletion action.
37- Identify the user account associated with the deletion attempt and verify their role and permissions within the organization to assess if the action was authorized.
38- Check the timestamp of the event to determine if the deletion attempt coincides with any known maintenance windows or authorized changes.
39- Investigate the specific Okta application targeted for deletion to understand its importance and potential impact on business operations if it were successfully deleted.
40- Examine any recent changes or unusual activities associated with the user account or the targeted application to identify potential indicators of compromise.
41- Correlate this event with other security alerts or logs to determine if it is part of a broader attack or isolated incident.
42
43### False positive analysis
44
45- Routine maintenance activities by IT staff may trigger the rule when they legitimately delete or modify applications. To manage this, create exceptions for known maintenance periods or specific user accounts responsible for these tasks.
46- Automated scripts or tools used for application lifecycle management might generate false positives. Identify these scripts and exclude their actions from triggering alerts by whitelisting their associated user accounts or service accounts.
47- Testing environments where applications are frequently created and deleted for development purposes can lead to false positives. Exclude these environments from monitoring or adjust the rule to ignore actions within specific test domains.
48- Changes in application configurations by authorized personnel for legitimate business needs may be flagged. Implement a process to log and approve such changes, allowing for easy identification and exclusion from alerts.
49
50### Response and remediation
51
52- Immediately isolate the affected Okta application to prevent further unauthorized actions. This can be done by temporarily disabling the application or restricting access to it.
53- Review the audit logs and event details associated with the deletion attempt to identify the source of the action, including user accounts and IP addresses involved.
54- Revoke access for any compromised or suspicious user accounts identified in the investigation to prevent further unauthorized actions.
55- Restore the deleted application from backup if applicable, ensuring that all configurations and settings are intact.
56- Notify the security team and relevant stakeholders about the incident, providing details of the attempted deletion and actions taken.
57- Conduct a root cause analysis to determine how the unauthorized attempt was made and implement additional security controls to prevent similar incidents in the future.
58- Enhance monitoring and alerting for Okta application lifecycle events to ensure rapid detection and response to any future unauthorized modification or deletion attempts.
59
60## Setup
61
62The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = [
64    "https://developer.okta.com/docs/reference/api/system-log/",
65    "https://developer.okta.com/docs/reference/api/event-types/",
66    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
67    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
68    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
69]
70risk_score = 21
71rule_id = "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f"
72severity = "low"
73tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact", "Resources: Investigation Guide"]
74timestamp_override = "event.ingested"
75type = "query"
76
77query = '''
78event.dataset:okta.system and event.action:application.lifecycle.delete
79'''
80
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1489"
86name = "Service Stop"
87reference = "https://attack.mitre.org/techniques/T1489/"
88
89
90[rule.threat.tactic]
91id = "TA0040"
92name = "Impact"
93reference = "https://attack.mitre.org/tactics/TA0040/"