LoFP / consider adding exceptions to this rule to filter false positives if okta mfa rules are regularly modified in your organization.

• T1562

Sample rules

Attempt to Delete an Okta Policy Rule

• source: elastic
• technicques:
  • T1562

Description

Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization’s security controls.

Detection logic

event.dataset:okta.system and event.action:policy.rule.delete

Attempt to Modify an Okta Policy Rule

• source: elastic
• technicques:
  • T1562

Description

Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization’s security controls.

Detection logic

event.dataset:okta.system and event.action:policy.rule.update

Attempt to Deactivate an Okta Policy Rule

• source: elastic
• technicques:
  • T1562

Description

Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization’s security controls.

Detection logic

event.dataset:okta.system and event.action:policy.rule.deactivate