forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathattempt_to_delete_okta_network_zone.toml
38 lines (35 loc) · 1.32 KB
/
attempt_to_delete_okta_network_zone.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[metadata]
creation_date = "2020/11/06"
maturity = "production"
updated_date = "2020/11/06"
[rule]
author = ["Elastic"]
description = """
Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a
network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network
zone in order to remove or weaken an organization's security controls.
"""
false_positives = [
"""
Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are
regularly deleted.
""",
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License"
name = "Attempt to Delete an Okta Network Zone"
note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
references = [
"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 47
rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad"
severity = "medium"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security"]
type = "query"
query = '''
event.dataset:okta.system and event.action:zone.delete
'''