consider adding exceptions to this rule to filter false positives if sign on policies for okta applications are regularly modified or deleted in your organization.

t1556
okta
elastic

Techniques

T1556

Sample rules

Modification or Removal of an Okta Application Sign-On Policy

source: elastic
technicques:
- T1556

Description

Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization’s security controls.

Detection logic

event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)