forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathokta_attempt_to_delete_okta_policy_rule.toml
41 lines (37 loc) · 1.29 KB
/
okta_attempt_to_delete_okta_policy_rule.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[metadata]
creation_date = "2020/11/06"
maturity = "production"
updated_date = "2021/07/20"
integration = "okta"
[rule]
author = ["Elastic"]
description = """
Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order
to weaken an organization's security controls.
"""
false_positives = [
"""
Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your
organization.
""",
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Delete an Okta Policy Rule"
note = """## Config
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 21
rule_id = "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd"
severity = "low"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:okta.system and event.action:policy.rule.delete
'''