From 31ccf89dcc17dfb341eab79bd93cb9b739c805ae Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:41:00 -0500
Subject: [PATCH] Update okta_network_zone_deactivated_or_deleted.yml

---
 ...ta_network_zone_deactivated_or_deleted.yml | 30 ++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
index c3b70785d..ca73d4f7a 100644
--- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
+++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
@@ -1 +1,29 @@
-NOT READ YET
+NOT READY YET
+
+title: Okta 
+id: 
+description: Detects when an
+author: Austin Songer
+status: experimental
+date: 2021/
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - 
+            - 
+        displaymessage:
+            - 
+            -
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.