Okta Policy Modified or Deleted
Detects when an Okta policy is modified or deleted.
Sigma rule (View on GitHub)
1title: Okta Policy Modified or Deleted
2id: 1667a172-ed4c-463c-9969-efd92195319a
3status: test
4description: Detects when an Okta policy is modified or deleted.
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://developer.okta.com/docs/reference/api/event-types/
8author: Austin Songer @austinsonger
9date: 2021/09/12
10modified: 2022/10/09
11tags:
12 - attack.impact
13logsource:
14 product: okta
15 service: okta
16detection:
17 selection:
18 eventtype:
19 - policy.lifecycle.update
20 - policy.lifecycle.delete
21 condition: selection
22falsepositives:
23 - Okta Policies being modified or deleted may be performed by a system administrator.
24 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
25 - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
26level: low
References
Related rules
- Okta API Token Revoked
- Okta Application Modified or Deleted
- Okta Application Sign-On Policy Modified or Deleted
- Okta Network Zone Deactivated or Deleted
- Okta Policy Rule Modified or Deleted