LoFP / consider adding exceptions to this rule to filter false positives if your organization's okta applications are regularly deleted and the behavior is expected.

• T1562

Sample rules

Attempt to Delete an Okta Application

• source: elastic
• technicques:
  • T1489

Description

Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Detection logic

event.dataset:okta.system and event.action:application.lifecycle.delete

Attempt to Deactivate an Okta Network Zone

• source: elastic
• technicques:
  • T1562

Description

Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.

Detection logic

event.dataset:okta.system and event.action:zone.deactivate

• T1489

Sample rules

Attempt to Delete an Okta Application

• source: elastic
• technicques:
  • T1489

Description

Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Detection logic

event.dataset:okta.system and event.action:application.lifecycle.delete

Attempt to Deactivate an Okta Network Zone

• source: elastic
• technicques:
  • T1562

Description

Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.

Detection logic

event.dataset:okta.system and event.action:zone.deactivate

Attempt to Deactivate an Okta Application

• source: elastic
• technicques:
  • T1489

Description

Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Detection logic

event.dataset:okta.system and event.action:application.lifecycle.deactivate

Sample rules

Attempt to Delete an Okta Application

• source: elastic
• technicques:
  • T1489

Description

Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Detection logic

event.dataset:okta.system and event.action:application.lifecycle.delete

Attempt to Deactivate an Okta Network Zone

• source: elastic
• technicques:
  • T1562

Description

Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.

Detection logic

event.dataset:okta.system and event.action:zone.deactivate

• T1489

Sample rules

Attempt to Delete an Okta Application

• source: elastic
• technicques:
  • T1489

Description

Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Detection logic

event.dataset:okta.system and event.action:application.lifecycle.delete

Attempt to Deactivate an Okta Network Zone

• source: elastic
• technicques:
  • T1562

Description

Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.

Detection logic

event.dataset:okta.system and event.action:zone.deactivate

Attempt to Deactivate an Okta Application

• source: elastic
• technicques:
  • T1489

Description

Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Detection logic

event.dataset:okta.system and event.action:application.lifecycle.deactivate

Attempt to Modify an Okta Application

• source: elastic
• technicques:

Description

Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Detection logic

event.dataset:okta.system and event.action:application.lifecycle.update