forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathokta_attempt_to_modify_okta_policy.toml
41 lines (37 loc) · 1.35 KB
/
okta_attempt_to_modify_okta_policy.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[metadata]
creation_date = "2020/05/21"
maturity = "production"
updated_date = "2021/07/20"
integration = "okta"
[rule]
author = ["Elastic"]
description = """
Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an
organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication
(MFA) policy in order to weaken the authentication requirements for user accounts.
"""
false_positives = [
"""
Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your
organization.
""",
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Modify an Okta Policy"
note = """## Config
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 21
rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45"
severity = "low"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:okta.system and event.action:policy.lifecycle.update
'''