Okta Policy Modified or Deleted

 1title: Okta Policy Modified or Deleted
 2id: 1667a172-ed4c-463c-9969-efd92195319a
 3status: test
 4description: Detects when an Okta policy is modified or deleted.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://developer.okta.com/docs/reference/api/event-types/
 8author: Austin Songer @austinsonger
 9date: 2021/09/12
10modified: 2022/10/09
11tags:
12    - attack.impact
13logsource:
14    product: okta
15    service: okta
16detection:
17    selection:
18        eventtype:
19            - policy.lifecycle.update
20            - policy.lifecycle.delete
21    condition: selection
22falsepositives:
23    - Okta Policies being modified or deleted may be performed by a system administrator.
24    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
25    - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
26level: low

References

• System Log | Okta Developer

  

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

• Event Types | Okta Developer

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

Related rules

• Okta API Token Revoked
• Okta Application Modified or Deleted
• Okta Application Sign-On Policy Modified or Deleted
• Okta Network Zone Deactivated or Deleted
• Okta Policy Rule Modified or Deleted