okta_attempt_to_delete_okta_application.toml

[metadata]
creation_date = "2020/11/06"
maturity = "production"
updated_date = "2020/11/06"

[rule]
author = ["Elastic"]
description = """
Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta
application in order to weaken an organization's security controls or disrupt their business operations.
"""
false_positives = [
    """
    Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are
    regularly deleted and the behavior is expected.
    """,
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License"
name = "Attempt to Delete an Okta Application"
note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 21
rule_id = "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f"
severity = "low"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
type = "query"

query = '''
event.dataset:okta.system and event.action:application.lifecycle.delete
'''