okta_attempt_to_deactivate_okta_policy_rule.toml

[metadata]
creation_date = "2020/05/21"
maturity = "production"
updated_date = "2020/10/26"

[rule]
author = ["Elastic"]
description = """
Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an
Okta policy in order to remove or weaken an organization's security controls.
"""
false_positives = [
    """
    Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in
    your organization.
    """,
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License"
name = "Attempt to Deactivate an Okta Policy Rule"
note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 47
rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0"
severity = "medium"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"]
type = "query"

query = '''
event.dataset:okta.system and event.action:policy.rule.deactivate
'''