Attempt to Modify an Okta Application
Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/06"
3integration = ["okta"]
4maturity = "production"
5updated_date = "2024/12/09"
6min_stack_version = "8.15.0"
7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta
13application in order to weaken an organization's security controls or disrupt their business operations.
14"""
15false_positives = [
16 """
17 Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are
18 regularly modified and the behavior is expected.
19 """,
20]
21index = ["filebeat-*", "logs-okta*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Attempt to Modify an Okta Application"
25note = """## Setup
26
27The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = [
29 "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
30 "https://developer.okta.com/docs/reference/api/system-log/",
31 "https://developer.okta.com/docs/reference/api/event-types/",
32 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
33 "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
34 "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
35]
36risk_score = 21
37rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09"
38severity = "low"
39tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:okta.system and event.action:application.lifecycle.update
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50
51[rule.threat.tactic]
52id = "TA0040"
53name = "Impact"
54reference = "https://attack.mitre.org/tactics/TA0040/"
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
oktaproduction9ounvcxa https://platform.cloud.coveo.com/rest/search https://support.okta.com/help/s/global-search/%40uri https://support.okta.com/help/services/apexrest/PublicSearchToken?site=help ...
Read More -
-
-
Testing your Okta visibility and detection with Dorothy and Elastic Security — Elastic Security Labs
Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.
Read More -
This article guides readers through establishing an Okta threat detection lab, emphasizing the importance of securing SaaS platforms like Okta. It details creating a lab environment with the Elastic Stack, integrating SIEM solutions, and Okta.
Read More -
This article delves into Okta's architecture and services, laying a solid foundation for threat research and detection engineering. Essential reading for those aiming to master threat hunting and detection in Okta environments.
Read More
Related rules
- Attempt to Deactivate an Okta Application
- Attempt to Delete an Okta Application
- Attempt to Revoke Okta API Token
- Possible Okta DoS Attack
- Administrator Privileges Assigned to an Okta Group