Okta Application Sign-On Policy Modified or Deleted

 1title: Okta Application Sign-On Policy Modified or Deleted
 2id: 8f668cc4-c18e-45fe-ad00-624a981cf88a
 3status: test
 4description: Detects when an application Sign-on Policy is modified or deleted.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://developer.okta.com/docs/reference/api/event-types/
 8author: Austin Songer @austinsonger
 9date: 2021-09-12
10modified: 2022-10-09
11tags:
12    - attack.impact
13logsource:
14    product: okta
15    service: okta
16detection:
17    selection:
18        eventtype:
19            - application.policy.sign_on.update
20            - application.policy.sign_on.rule.delete
21    condition: selection
22falsepositives:
23    - Unknown
24level: medium

References

• System Log | Okta Developer

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

• Event Types | Okta Developer

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

Related rules

• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• AWS EC2 Disable EBS Encryption
• AWS EFS Fileshare Modified or Deleted
• AWS EFS Fileshare Mount Modified or Deleted