From 0d51178174a7c81a288dc571b5a9673f3f0f71f2 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:13:15 -0500
Subject: [PATCH 01/31] Create okta_policy_modified_or_deleted.yml

---
 .../okta/okta_policy_modified_or_deleted.yml  | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/cloud/okta/okta_policy_modified_or_deleted.yml

diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_modified_or_deleted.yml
new file mode 100644
index 000000000..494af5b50
--- /dev/null
+++ b/rules/cloud/okta/okta_policy_modified_or_deleted.yml
@@ -0,0 +1,24 @@
+title: Okta Policy Modified or Deleted
+id: 1667a172-ed4c-463c-9969-efd92195319a
+description: Detects when an Okta policy is modified or deleted.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        displaymessge: 
+            - policy.lifecycle.update
+            - policy.lifecycle.delete
+    condition: selection
+level: low
+tags:
+    - attack.impact
+falsepositives:
+ - Okta Policies being modified or deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

From ebd120a16507db1f5e745fa575e7b6be8f43e5bf Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:17:00 -0500
Subject: [PATCH 02/31] Create okta_application_modified_or_deleted.yml

---
 rules/cloud/okta/okta_application_modified_or_deleted.yml | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 rules/cloud/okta/okta_application_modified_or_deleted.yml

diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml
new file mode 100644
index 000000000..41a74b121
--- /dev/null
+++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml
@@ -0,0 +1 @@
+NOT READY YET

From 76d78c274ae31ffb18ea312f973830b9ddf93bb0 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:17:25 -0500
Subject: [PATCH 03/31] Create okta_policy_rule_modified_or_deleted.yml

---
 rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml

diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
new file mode 100644
index 000000000..41a74b121
--- /dev/null
+++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
@@ -0,0 +1 @@
+NOT READY YET

From fefb8564717d69af72ededb4172bc7ec00aac734 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:20:54 -0500
Subject: [PATCH 04/31] Create okta_account_mfa_reset.yml

---
 rules/cloud/okta/okta_account_mfa_reset.yml | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 rules/cloud/okta/okta_account_mfa_reset.yml

diff --git a/rules/cloud/okta/okta_account_mfa_reset.yml b/rules/cloud/okta/okta_account_mfa_reset.yml
new file mode 100644
index 000000000..41a74b121
--- /dev/null
+++ b/rules/cloud/okta/okta_account_mfa_reset.yml
@@ -0,0 +1 @@
+NOT READY YET

From c51e1db2288c58a7637df6647672c35ae01744cf Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:22:15 -0500
Subject: [PATCH 05/31] Create okta_network_zone_deactivated_or_deleted.yml

---
 rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml

diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
new file mode 100644
index 000000000..c3b70785d
--- /dev/null
+++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
@@ -0,0 +1 @@
+NOT READ YET

From d5653cbfd0b7f6fda9467f5a92f1cbf4f90dfdea Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:24:57 -0500
Subject: [PATCH 06/31] Create okta_user_account_mfa_bypass_attempt.yml

---
 rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml

diff --git a/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml b/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml
new file mode 100644
index 000000000..41a74b121
--- /dev/null
+++ b/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml
@@ -0,0 +1 @@
+NOT READY YET

From 1af9120f3771e54bfe753124347255270c8671b2 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:25:11 -0500
Subject: [PATCH 07/31] Rename okta_account_mfa_reset.yml to
 okta_user_account_mfa_reset.yml

---
 ...okta_account_mfa_reset.yml => okta_user_account_mfa_reset.yml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename rules/cloud/okta/{okta_account_mfa_reset.yml => okta_user_account_mfa_reset.yml} (100%)

diff --git a/rules/cloud/okta/okta_account_mfa_reset.yml b/rules/cloud/okta/okta_user_account_mfa_reset.yml
similarity index 100%
rename from rules/cloud/okta/okta_account_mfa_reset.yml
rename to rules/cloud/okta/okta_user_account_mfa_reset.yml

From 12e5eeac9ecb3e5d4e2243e9b2c829ca331c609f Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:30:03 -0500
Subject: [PATCH 08/31] Update okta_policy_modified_or_deleted.yml

---
 rules/cloud/okta/okta_policy_modified_or_deleted.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_modified_or_deleted.yml
index 494af5b50..2e72accd1 100644
--- a/rules/cloud/okta/okta_policy_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_policy_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: okta
 detection:
     selection:
-        displaymessge: 
+        eventtype: 
             - policy.lifecycle.update
             - policy.lifecycle.delete
     condition: selection

From 8607af29e0f2322d2ae1f2c35841c935c0b1976a Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:35:19 -0500
Subject: [PATCH 09/31] Create okta_user_account_lockout.yml

---
 .../cloud/okta/okta_user_account_lockout.yml  | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 rules/cloud/okta/okta_user_account_lockout.yml

diff --git a/rules/cloud/okta/okta_user_account_lockout.yml b/rules/cloud/okta/okta_user_account_lockout.yml
new file mode 100644
index 000000000..92fd1081b
--- /dev/null
+++ b/rules/cloud/okta/okta_user_account_lockout.yml
@@ -0,0 +1,20 @@
+title: Okta User Account Lock out
+id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a
+description: Detects when an user account is locked out.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        displaymessage: Max sign in attempts exceeded
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Unknown

From 8b0756bd32f7c1ab9da0a0d3b798c3d6806fa649 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:39:24 -0500
Subject: [PATCH 10/31] Create okta_unauthorized_access_to_app.yml

---
 .../okta/okta_unauthorized_access_to_app.yml  | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/cloud/okta/okta_unauthorized_access_to_app.yml

diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml
new file mode 100644
index 000000000..f0045b706
--- /dev/null
+++ b/rules/cloud/okta/okta_unauthorized_access_to_app.yml
@@ -0,0 +1,21 @@
+title: Okta Unauthorized Access to App
+id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657
+description: Detects when unauthorized access to app occurs.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        displaymessage:
+            - User attempted unauthorized access to app
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - User might of believe that they had access.

From 08e79bb22efe272603fd46a94021d76cb60c4ac5 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:40:49 -0500
Subject: [PATCH 11/31] Update okta_application_modified_or_deleted.yml

---
 .../okta_application_modified_or_deleted.yml  | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml
index 41a74b121..ca73d4f7a 100644
--- a/rules/cloud/okta/okta_application_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml
@@ -1 +1,29 @@
 NOT READY YET
+
+title: Okta 
+id: 
+description: Detects when an
+author: Austin Songer
+status: experimental
+date: 2021/
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - 
+            - 
+        displaymessage:
+            - 
+            -
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

From 31ccf89dcc17dfb341eab79bd93cb9b739c805ae Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:41:00 -0500
Subject: [PATCH 12/31] Update okta_network_zone_deactivated_or_deleted.yml

---
 ...ta_network_zone_deactivated_or_deleted.yml | 30 ++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
index c3b70785d..ca73d4f7a 100644
--- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
+++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
@@ -1 +1,29 @@
-NOT READ YET
+NOT READY YET
+
+title: Okta 
+id: 
+description: Detects when an
+author: Austin Songer
+status: experimental
+date: 2021/
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - 
+            - 
+        displaymessage:
+            - 
+            -
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

From 30823b72b24c713aa2cd3422e7cbd8ba6442d66a Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:41:14 -0500
Subject: [PATCH 13/31] Update okta_policy_rule_modified_or_deleted.yml

---
 .../okta_policy_rule_modified_or_deleted.yml  | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
index 41a74b121..ca73d4f7a 100644
--- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
@@ -1 +1,29 @@
 NOT READY YET
+
+title: Okta 
+id: 
+description: Detects when an
+author: Austin Songer
+status: experimental
+date: 2021/
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - 
+            - 
+        displaymessage:
+            - 
+            -
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

From 4d58194dab1150498272250324a4e6bcdd6023af Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:41:38 -0500
Subject: [PATCH 14/31] Update okta_user_account_mfa_bypass_attempt.yml

---
 .../okta_user_account_mfa_bypass_attempt.yml  | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml b/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml
index 41a74b121..ca73d4f7a 100644
--- a/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml
+++ b/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml
@@ -1 +1,29 @@
 NOT READY YET
+
+title: Okta 
+id: 
+description: Detects when an
+author: Austin Songer
+status: experimental
+date: 2021/
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - 
+            - 
+        displaymessage:
+            - 
+            -
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

From 7b371621078e2a8b88ed4beae8bec92d8f8a0b2c Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:41:50 -0500
Subject: [PATCH 15/31] Update okta_user_account_mfa_reset.yml

---
 .../okta/okta_user_account_mfa_reset.yml      | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/rules/cloud/okta/okta_user_account_mfa_reset.yml b/rules/cloud/okta/okta_user_account_mfa_reset.yml
index 41a74b121..ca73d4f7a 100644
--- a/rules/cloud/okta/okta_user_account_mfa_reset.yml
+++ b/rules/cloud/okta/okta_user_account_mfa_reset.yml
@@ -1 +1,29 @@
 NOT READY YET
+
+title: Okta 
+id: 
+description: Detects when an
+author: Austin Songer
+status: experimental
+date: 2021/
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - 
+            - 
+        displaymessage:
+            - 
+            -
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

From 5f7e657319b016ed14bfacbd329cecfdcf0afad5 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:45:57 -0500
Subject: [PATCH 16/31] Create okta_admin_role_assigned_to_user_or_group.yml

---
 ...a_admin_role_assigned_to_user_or_group.yml | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml

diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml
new file mode 100644
index 000000000..1ded4c5de
--- /dev/null
+++ b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml
@@ -0,0 +1,23 @@
+title: Okta Admin Role Assigned to an User or Group
+id: 413d4a81-6c98-4479-9863-014785fd579c
+description: Detects when an the Administrator role is assigned to an user or group.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - group.privilege.grant
+            - user.account.privilege.grant
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Administrator roles could be assigned to users or group by other admin users. 
+ 

From 329c5e96fc187376ad74e951fc9e46b8e0a6eb3d Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:47:21 -0500
Subject: [PATCH 17/31] Create okta_api_token_created.yml

---
 rules/cloud/okta/okta_api_token_created.yml | 30 +++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 rules/cloud/okta/okta_api_token_created.yml

diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml
new file mode 100644
index 000000000..dee792627
--- /dev/null
+++ b/rules/cloud/okta/okta_api_token_created.yml
@@ -0,0 +1,30 @@
+NOT READY YET
+
+title: Okta 
+id: 
+description: Detects when an
+author: Austin Songer
+status: experimental
+date: 2021/
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - 
+            - 
+        displaymessage:
+            - 
+            -
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+

From f2274379203e243034e9cd951b972ac834c519bb Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 19:47:59 -0500
Subject: [PATCH 18/31] Create okta_api_token_revoked.yml

---
 rules/cloud/okta/okta_api_token_revoked.yml | 29 +++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/cloud/okta/okta_api_token_revoked.yml

diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/cloud/okta/okta_api_token_revoked.yml
new file mode 100644
index 000000000..ca73d4f7a
--- /dev/null
+++ b/rules/cloud/okta/okta_api_token_revoked.yml
@@ -0,0 +1,29 @@
+NOT READY YET
+
+title: Okta 
+id: 
+description: Detects when an
+author: Austin Songer
+status: experimental
+date: 2021/
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - 
+            - 
+        displaymessage:
+            - 
+            -
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

From aa8978e9da53bfb6ecb8c26442b32398fecbd0e4 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 20:14:27 -0500
Subject: [PATCH 19/31] Update okta_api_token_created.yml

---
 rules/cloud/okta/okta_api_token_created.yml | 24 ++++++---------------
 1 file changed, 7 insertions(+), 17 deletions(-)

diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml
index dee792627..a4a49a16d 100644
--- a/rules/cloud/okta/okta_api_token_created.yml
+++ b/rules/cloud/okta/okta_api_token_created.yml
@@ -1,11 +1,9 @@
-NOT READY YET
-
-title: Okta 
-id: 
-description: Detects when an
+title: Okta API Token Created
+id: 19951c21-229d-4ccb-8774-b993c3ff3c5c
+description: Detects when a API token is created
 author: Austin Songer
 status: experimental
-date: 2021/
+date: 2021/09/12
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
@@ -13,18 +11,10 @@ logsource:
   service: okta
 detection:
     selection:
-        eventtype: 
-            - 
-            - 
-        displaymessage:
-            - 
-            -
+        eventtype: system.api_token.create
     condition: selection
 level: medium
 tags:
-    - attack.impact
+    - attack.persistence
 falsepositives:
- - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-
+ - Unknown

From 9f7033687997142f04c3359edba7be23242d9ec8 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 20:16:37 -0500
Subject: [PATCH 20/31] Update okta_api_token_revoked.yml

---
 rules/cloud/okta/okta_api_token_revoked.yml | 22 +++++++--------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/cloud/okta/okta_api_token_revoked.yml
index ca73d4f7a..76738fb9d 100644
--- a/rules/cloud/okta/okta_api_token_revoked.yml
+++ b/rules/cloud/okta/okta_api_token_revoked.yml
@@ -1,11 +1,9 @@
-NOT READY YET
-
-title: Okta 
-id: 
-description: Detects when an
+title: Okta API Token Revoked
+id: cf1dbc6b-6205-41b4-9b88-a83980d2255b
+description: Detects when a API Token is revoked.
 author: Austin Songer
 status: experimental
-date: 2021/
+date: 2021/09/12
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
@@ -13,17 +11,11 @@ logsource:
   service: okta
 detection:
     selection:
-        eventtype: 
-            - 
-            - 
-        displaymessage:
-            - 
-            -
+        eventtype: system.api_token.revoke
     condition: selection
 level: medium
 tags:
     - attack.impact
 falsepositives:
- - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Unknown
+ 

From 45b6ac72eeb1c0cbe38dee923431066b509094e3 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 20:19:57 -0500
Subject: [PATCH 21/31] Update okta_application_modified_or_deleted.yml

---
 .../okta_application_modified_or_deleted.yml  | 22 +++++++------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml
index ca73d4f7a..634019714 100644
--- a/rules/cloud/okta/okta_application_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml
@@ -1,11 +1,9 @@
-NOT READY YET
-
-title: Okta 
-id: 
-description: Detects when an
+title: Okta Application Modified or Deleted
+id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
+description: Detects when an application is modified or deleted.
 author: Austin Songer
 status: experimental
-date: 2021/
+date: 2021/09/12
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
@@ -14,16 +12,12 @@ logsource:
 detection:
     selection:
         eventtype: 
-            - 
-            - 
-        displaymessage:
-            - 
-            -
+            - application.lifecycle.update
+            - application.lifecycle.delete
     condition: selection
 level: medium
 tags:
     - attack.impact
 falsepositives:
- - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Unknown
+ 

From e60fbbf4b8b0e3b1ab30d3eff915dc397324aaf8 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 20:22:16 -0500
Subject: [PATCH 22/31] Update okta_network_zone_deactivated_or_deleted.yml

---
 ...ta_network_zone_deactivated_or_deleted.yml | 22 +++++++------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
index ca73d4f7a..5d174c950 100644
--- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
+++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
@@ -1,11 +1,9 @@
-NOT READY YET
-
-title: Okta 
-id: 
-description: Detects when an
+title: Okta Network Zone Deactivated or Deleted
+id: 9f308120-69ed-4506-abde-ac6da81f4310
+description: Detects when an Network Zone is Deactivated or Deleted.
 author: Austin Songer
 status: experimental
-date: 2021/
+date: 2021/09/12
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
@@ -14,16 +12,12 @@ logsource:
 detection:
     selection:
         eventtype: 
-            - 
-            - 
-        displaymessage:
-            - 
-            -
+            - zone.deactivate
+            - zone.delete
     condition: selection
 level: medium
 tags:
     - attack.impact
 falsepositives:
- - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Unknown
+ 

From f759fff453f727d93e562e1b40f1f118a928d6d1 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 20:24:12 -0500
Subject: [PATCH 23/31] Update okta_policy_rule_modified_or_deleted.yml

---
 .../okta_policy_rule_modified_or_deleted.yml  | 22 +++++++------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
index ca73d4f7a..81cbea62c 100644
--- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
@@ -1,11 +1,9 @@
-NOT READY YET
-
-title: Okta 
-id: 
-description: Detects when an
+title: Okta Policy Rule Modified or Deleted
+id: 0c97c1d3-4057-45c9-b148-1de94b631931v
+description: Detects when an Policy Rule is Modified or Deleted.
 author: Austin Songer
 status: experimental
-date: 2021/
+date: 2021/09/12
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
@@ -14,16 +12,12 @@ logsource:
 detection:
     selection:
         eventtype: 
-            - 
-            - 
-        displaymessage:
-            - 
-            -
+            - policy.rule.update
+            - policy.rule.delete
     condition: selection
 level: medium
 tags:
     - attack.impact
 falsepositives:
- - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Unknown
+ 

From 249d3198d33dd723d5554372162c2bea191f9213 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 20:27:45 -0500
Subject: [PATCH 24/31] Create
 okta_application_sign-on_policy_modified_or_deleted.yml

---
 ...ion_sign-on_policy_modified_or_deleted.yml | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml

diff --git a/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml
new file mode 100644
index 000000000..47fd37e7e
--- /dev/null
+++ b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml
@@ -0,0 +1,22 @@
+title: Okta Application Sign-On Policy Modified or Deleted
+id: Application Sign-On Policy
+description: Detects when an application Sign-on Policy is modified or deleted.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - application.policy.sign_on.update
+            - application.policy.sign_on.rule.delete
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Unknown

From bec7b5d3e79a8dfed0d526c9f159aa0cd5c47550 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 20:33:27 -0500
Subject: [PATCH 25/31] Create okta_security_threat_detected.yml

---
 .../okta/okta_security_threat_detected.yml    | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 rules/cloud/okta/okta_security_threat_detected.yml

diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml
new file mode 100644
index 000000000..1284f8c97
--- /dev/null
+++ b/rules/cloud/okta/okta_security_threat_detected.yml
@@ -0,0 +1,19 @@
+title: Okta Security Threat Detected
+id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0
+description: Detects when an security threat is detected in Okta.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: security.threat.detected
+    condition: selection
+level: medium
+falsepositives:
+ - None

From 1f5e2577cbbdd4b2bd9f3a633a2f6529950c1355 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 20:34:37 -0500
Subject: [PATCH 26/31] Delete okta_user_account_mfa_reset.yml

---
 .../okta/okta_user_account_mfa_reset.yml      | 29 -------------------
 1 file changed, 29 deletions(-)
 delete mode 100644 rules/cloud/okta/okta_user_account_mfa_reset.yml

diff --git a/rules/cloud/okta/okta_user_account_mfa_reset.yml b/rules/cloud/okta/okta_user_account_mfa_reset.yml
deleted file mode 100644
index ca73d4f7a..000000000
--- a/rules/cloud/okta/okta_user_account_mfa_reset.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-NOT READY YET
-
-title: Okta 
-id: 
-description: Detects when an
-author: Austin Songer
-status: experimental
-date: 2021/
-references:
-    - https://developer.okta.com/docs/reference/api/system-log/
-    - https://developer.okta.com/docs/reference/api/event-types/
-logsource:
-  service: okta
-detection:
-    selection:
-        eventtype: 
-            - 
-            - 
-        displaymessage:
-            - 
-            -
-    condition: selection
-level: medium
-tags:
-    - attack.impact
-falsepositives:
- - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

From 01c985b99adddf66d6a7cba9b0e9e5aa9b5b9a1b Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 20:40:33 -0500
Subject: [PATCH 27/31] Update and rename
 okta_user_account_mfa_bypass_attempt.yml to okta_mfa_reset_or_deactivated.yml

---
 .../okta/okta_mfa_reset_or_deactivated.yml    | 22 ++++++++++++++
 .../okta_user_account_mfa_bypass_attempt.yml  | 29 -------------------
 2 files changed, 22 insertions(+), 29 deletions(-)
 create mode 100644 rules/cloud/okta/okta_mfa_reset_or_deactivated.yml
 delete mode 100644 rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml

diff --git a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml
new file mode 100644
index 000000000..ba7890823
--- /dev/null
+++ b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml
@@ -0,0 +1,22 @@
+title: Okta MFA Reset or Deactivated
+id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
+description: Detects when an attempt at deactivating  or resetting MFA.
+author: Austin Songer
+status: experimental
+date: 2021/09/21
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - user.mfa.factor.deactivate
+            - user.mfa.factor.reset_all
+    condition: selection
+level: medium
+tags:
+    - attack.persistence
+falsepositives:
+ - If a MFA reset or deactivated was performed by a system administrator. 
diff --git a/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml b/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml
deleted file mode 100644
index ca73d4f7a..000000000
--- a/rules/cloud/okta/okta_user_account_mfa_bypass_attempt.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-NOT READY YET
-
-title: Okta 
-id: 
-description: Detects when an
-author: Austin Songer
-status: experimental
-date: 2021/
-references:
-    - https://developer.okta.com/docs/reference/api/system-log/
-    - https://developer.okta.com/docs/reference/api/event-types/
-logsource:
-  service: okta
-detection:
-    selection:
-        eventtype: 
-            - 
-            - 
-        displaymessage:
-            - 
-            -
-    condition: selection
-level: medium
-tags:
-    - attack.impact
-falsepositives:
- - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

From e1ef3857fb53787457b0c8cb07b390be50196b45 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 20:49:44 -0500
Subject: [PATCH 28/31] Update and rename okta_user_account_lockout.yml to
 okta_user_account_locked_out.yml

---
 ...ser_account_lockout.yml => okta_user_account_locked_out.yml} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename rules/cloud/okta/{okta_user_account_lockout.yml => okta_user_account_locked_out.yml} (93%)

diff --git a/rules/cloud/okta/okta_user_account_lockout.yml b/rules/cloud/okta/okta_user_account_locked_out.yml
similarity index 93%
rename from rules/cloud/okta/okta_user_account_lockout.yml
rename to rules/cloud/okta/okta_user_account_locked_out.yml
index 92fd1081b..0b5c59309 100644
--- a/rules/cloud/okta/okta_user_account_lockout.yml
+++ b/rules/cloud/okta/okta_user_account_locked_out.yml
@@ -1,4 +1,4 @@
-title: Okta User Account Lock out
+title: Okta User Account Locked Out
 id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a
 description: Detects when an user account is locked out.
 author: Austin Songer

From 18223a37cde617bcd55fcad60370208893c93e04 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 13 Sep 2021 06:26:01 +0200
Subject: [PATCH 29/31] Update
 okta_application_sign-on_policy_modified_or_deleted.yml

---
 .../okta_application_sign-on_policy_modified_or_deleted.yml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml
index 47fd37e7e..3b067027c 100644
--- a/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_application_sign-on_policy_modified_or_deleted.yml
@@ -1,5 +1,5 @@
 title: Okta Application Sign-On Policy Modified or Deleted
-id: Application Sign-On Policy
+id: 8f668cc4-c18e-45fe-ad00-624a981cf88a
 description: Detects when an application Sign-on Policy is modified or deleted.
 author: Austin Songer
 status: experimental

From e4d3d313c7546e8b59adc0aa69015d13fa95bdec Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 13 Sep 2021 06:33:49 +0200
Subject: [PATCH 30/31] Update okta_policy_rule_modified_or_deleted.yml

---
 rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
index 81cbea62c..0cc96a97e 100644
--- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
@@ -1,5 +1,5 @@
 title: Okta Policy Rule Modified or Deleted
-id: 0c97c1d3-4057-45c9-b148-1de94b631931v
+id: 0c97c1d3-4057-45c9-b148-1de94b631931
 description: Detects when an Policy Rule is Modified or Deleted.
 author: Austin Songer
 status: experimental

From 8e1f36ec3997404c989ad65da9f837ec2673ab1f Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 23:34:08 -0500
Subject: [PATCH 31/31] Update okta_api_token_created.yml

---
 rules/cloud/okta/okta_api_token_created.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml
index a4a49a16d..99bff4e85 100644
--- a/rules/cloud/okta/okta_api_token_created.yml
+++ b/rules/cloud/okta/okta_api_token_created.yml
@@ -18,3 +18,4 @@ tags:
     - attack.persistence
 falsepositives:
  - Unknown
+