Techniques
Sample rules
Attempt to Deactivate an Okta Policy
- source: elastic
- technicques:
- T1562
Description
Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization’s security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.
Detection logic
event.dataset:okta.system and event.action:policy.lifecycle.deactivate