forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathokta_attempt_to_modify_okta_application.toml
41 lines (37 loc) · 1.37 KB
/
okta_attempt_to_modify_okta_application.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[metadata]
creation_date = "2020/11/06"
maturity = "production"
updated_date = "2021/07/20"
integration = "okta"
[rule]
author = ["Elastic"]
description = """
Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta
application in order to weaken an organization's security controls or disrupt their business operations.
"""
false_positives = [
"""
Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are
regularly modified and the behavior is expected.
""",
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Modify an Okta Application"
note = """## Config
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 21
rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09"
severity = "low"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:okta.system and event.action:application.lifecycle.update
'''