forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathokta_attempt_to_modify_okta_policy.toml
36 lines (34 loc) · 1.24 KB
/
okta_attempt_to_modify_okta_policy.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[metadata]
creation_date = "2020/05/21"
maturity = "production"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
description = """
Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an
organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication
(MFA) policy in order to weaken the authentication requirements for user accounts.
"""
false_positives = [
"""
Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your
organization.
""",
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License"
name = "Attempt to Modify an Okta Policy"
note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 21
rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45"
severity = "low"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
type = "query"
query = '''
event.dataset:okta.system and event.action:policy.lifecycle.update
'''