okta_attempt_to_modify_okta_policy_rule.toml

[metadata]
creation_date = "2020/05/21"
maturity = "production"
updated_date = "2020/10/26"

[rule]
author = ["Elastic"]
description = """
Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order
to weaken an organization's security controls.
"""
false_positives = [
    """
    Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your
    organization.
    """,
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License"
name = "Attempt to Modify an Okta Policy Rule"
note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 21
rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19"
severity = "low"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"]
type = "query"

query = '''
event.dataset:okta.system and event.action:policy.rule.update
'''