security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create okta_attempt_to_deactivate_okta_application.toml (#496)

Browse Source
This commit is contained in:
David French
2020-11-17 08:51:51 -07:00
committed by GitHub
parent 768069a8bc
commit 58e54f40e3
1 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/okta/okta_attempt_to_deactivate_okta_application.toml
+38
View File
@@ -0,0 +1,38 @@
[metadata]
creation_date = "2020/11/06"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/06"
[rule]
author = ["Elastic"]
description = """
Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta
application in order to weaken an organization's security controls or disrupt their business operations.
"""
false_positives = [
"""
Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are
regularly deactivated and the behavior is expected.
""",
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License"
name = "Attempt to Deactivate an Okta Application"
note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
references = [
"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 21
rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a"
severity = "low"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
type = "query"
query = '''
event.dataset:okta.system and event.action:application.lifecycle.deactivate
'''