forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathokta_attempt_to_deactivate_okta_policy.toml
38 lines (35 loc) · 1.34 KB
/
okta_attempt_to_deactivate_okta_policy.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[metadata]
creation_date = "2020/05/21"
maturity = "production"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
description = """
Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken
an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor
authentication (MFA) policy in order to weaken the authentication requirements for user accounts.
"""
false_positives = [
"""
If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false
positives.
""",
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License"
name = "Attempt to Deactivate an Okta Policy"
note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
references = [
"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 21
rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe"
severity = "low"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
type = "query"
query = '''
event.dataset:okta.system and event.action:policy.lifecycle.deactivate
'''