Modification or Removal of an Okta Application Sign-On Policy
Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/01"
3integration = ["okta"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/17"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or
13delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.
14"""
15false_positives = [
16 """
17 Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are
18 regularly modified or deleted in your organization.
19 """,
20]
21index = ["filebeat-*", "logs-okta*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Modification or Removal of an Okta Application Sign-On Policy"
25note = """## Setup
26
27The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = [
29 "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm",
30 "https://developer.okta.com/docs/reference/api/system-log/",
31 "https://developer.okta.com/docs/reference/api/event-types/",
32 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
33]
34risk_score = 47
35rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe"
36severity = "medium"
37tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1556"
50name = "Modify Authentication Process"
51reference = "https://attack.mitre.org/techniques/T1556/"
52
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
-
-
Testing your Okta visibility and detection with Dorothy and Elastic Security — Elastic Security Labs
Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.
Read More
Related rules
- Attempt to Deactivate MFA for an Okta User Account
- Attempt to Reset MFA Factors for an Okta User Account
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Attempt to Create Okta API Token