forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathattempt_to_deactivate_okta_network_zone.toml
37 lines (35 loc) · 1.33 KB
/
attempt_to_deactivate_okta_network_zone.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[metadata]
creation_date = "2020/11/06"
maturity = "production"
updated_date = "2020/11/06"
[rule]
author = ["Elastic"]
description = """
Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to
a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta
network zone in order to remove or weaken an organization's security controls.
"""
false_positives = [
"""
Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are
regularly modified.
""",
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License"
name = "Attempt to Deactivate an Okta Network Zone"
note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
references = [
"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 47
rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1"
severity = "medium"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security"]
type = "query"
query = '''
event.dataset:okta.system and event.action:zone.deactivate
'''