Tune metadata in Okta rules to align with the style of other rules (#491)

* rune-okta-rule-metadata * update note field to include fleet integration info * separate okta policy rule modification and deletion into two rules * rename file to align with style of others * fix syntax typo * separate zone and policy deactivation, deletion, and modification actions into separate rules * fix typo * fix tpyo 🙃 * Use "detects" instead of "identifies" in description * Use "detects" instead of "identifies" in description * Use "detects" instead of "identifies" in description * Use "detects" instead of "identifies" in description
2020-11-18 09:59:11 -07:00
parent a05f160159
commit 8f6eba8986
22 changed files with 199 additions and 93 deletions
@@ -0,0 +1,38 @@
+[metadata]
+creation_date = "2020/11/06"
+ecs_version = ["1.6.0"]
+maturity = "production"
+updated_date = "2020/11/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to
+a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta
+network zone in order to remove or weaken an organization's security controls.
+"""
+false_positives = [
+    """
+    Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are
+    regularly modified.
+    """,
+]
+index = ["filebeat-*", "logs-okta*"]
+language = "kuery"
+license = "Elastic License"
+name = "Attempt to Deactivate an Okta Network Zone"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
+references = [
+    "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+    "https://developer.okta.com/docs/reference/api/system-log/",
+    "https://developer.okta.com/docs/reference/api/event-types/",
+]
+risk_score = 47
+rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1"
+severity = "medium"
+tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security"]
+type = "query"
+
+query = '''
+event.dataset:okta.system and event.action:zone.deactivate
+'''
@@ -0,0 +1,39 @@
+[metadata]
+creation_date = "2020/11/06"
+ecs_version = ["1.6.0"]
+maturity = "production"
+updated_date = "2020/11/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a
+network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network
+zone in order to remove or weaken an organization's security controls.
+"""
+false_positives = [
+    """
+    Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are
+    regularly deleted.
+    """,
+]
+index = ["filebeat-*", "logs-okta*"]
+language = "kuery"
+license = "Elastic License"
+name = "Attempt to Delete an Okta Network Zone"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
+references = [
+    "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
+    "https://developer.okta.com/docs/reference/api/system-log/",
+    "https://developer.okta.com/docs/reference/api/event-types/",
+]
+risk_score = 47
+rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad"
+severity = "medium"
+tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security"]
+type = "query"
+
+query = '''
+event.dataset:okta.system and event.action:zone.delete
+'''
+
@@ -7,14 +7,14 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may attempt to bypass the Okta multi-factor authentication (MFA) policies configured for an organization in
-order to obtain unauthorized access to an application. This rule detects when an Okta MFA bypass attempt occurs.
+Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA
+policies configured for an organization in order to obtain unauthorized access to an application.
 """
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
 name = "Attempted Bypass of Okta MFA"
-note = "The Okta Filebeat module must be enabled to use this rule."
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
@@ -42,4 +42,3 @@ reference = "https://attack.mitre.org/techniques/T1111/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-
@@ -16,7 +16,7 @@ index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
 name = "Attempts to Brute Force an Okta User Account"
-note = "The Okta Filebeat module must be enabled to use this rule."
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
@@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
 name = "Okta Brute Force or Password Spraying Attack"
-note = "The Okta Filebeat module must be enabled to use this rule."
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
@@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
 name = "High Number of Okta User Password Reset or Unlock Attempts"
-note = "The Okta Filebeat module must be enabled to use this rule."
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
@@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
 name = "Attempt to Revoke Okta API Token"
-note = "The Okta Filebeat module must be enabled to use this rule."
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
@@ -7,14 +7,14 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may attempt to disrupt an organization's business operations by performing a denial of service (DoS) attack
-against its Okta infrastructure.
+Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an
+organization's business operations by performing a DoS attack against its Okta service.
 """
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
 name = "Possible Okta DoS Attack"
-note = "The Okta Filebeat module must be enabled to use this rule."
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
@@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1499/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
-
@@ -7,15 +7,15 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects when a user reports suspicious activity for their Okta account. These events should be investigated,
-as they can help security teams identify when an adversary is attempting to gain access to their network.
+Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can
+help security teams identify when an adversary is attempting to gain access to their network.
 """
 false_positives = ["A user may report suspicious activity on their Okta account in error."]
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
 name = "Suspicious Activity Reported by Okta User"
-note = "The Okta Filebeat module must be enabled to use this rule."
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
@@ -7,9 +7,9 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For
-example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the
-authentication requirements for user accounts.
+Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken
+an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor
+authentication (MFA) policy in order to weaken the authentication requirements for user accounts.
 """
 false_positives = [
    """
@@ -20,9 +20,10 @@ false_positives = [
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
-name = "Attempt to Deactivate Okta Policy"
-note = "The Okta Filebeat module must be enabled to use this rule."
+name = "Attempt to Deactivate an Okta Policy"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
+    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
 ]
@@ -36,17 +37,3 @@ query = '''
 event.dataset:okta.system and event.action:policy.lifecycle.deactivate
 '''

-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1098"
-name = "Account Manipulation"
-reference = "https://attack.mitre.org/techniques/T1098/"
-
-
-[rule.threat.tactic]
-id = "TA0003"
-name = "Persistence"
-reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -7,8 +7,8 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may attempt to deactivate an Okta multi-factor authentication (MFA) rule in order to remove or weaken an
-organization's security controls.
+Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an
+Okta policy in order to remove or weaken an organization's security controls.
 """
 false_positives = [
    """
@@ -19,15 +19,16 @@ false_positives = [
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
-name = "Attempt to Deactivate Okta MFA Rule"
-note = "The Okta Filebeat module must be enabled to use this rule."
+name = "Attempt to Deactivate an Okta Policy Rule"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
+    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
 ]
-risk_score = 21
+risk_score = 47
 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0"
-severity = "low"
+severity = "medium"
 tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"

@@ -7,9 +7,9 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example,
-an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the
-authentication requirements for user accounts.
+Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an
+organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication
+(MFA) policy in order to weaken the authentication requirements for user accounts.
 """
 false_positives = [
    """
@@ -20,15 +20,16 @@ false_positives = [
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
-name = "Attempt to Delete Okta Policy"
-note = "The Okta Filebeat module must be enabled to use this rule."
+name = "Attempt to Delete an Okta Policy"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
+    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
 ]
-risk_score = 21
+risk_score = 47
 rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9"
-severity = "low"
+severity = "medium"
 tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
 type = "query"

@@ -0,0 +1,38 @@
+[metadata]
+creation_date = "2020/11/06"
+ecs_version = ["1.6.0"]
+maturity = "production"
+updated_date = "2020/11/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order
+to weaken an organization's security controls.
+"""
+false_positives = [
+    """
+    Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your
+    organization.
+    """,
+]
+index = ["filebeat-*", "logs-okta*"]
+language = "kuery"
+license = "Elastic License"
+name = "Attempt to Delete an Okta Policy Rule"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
+references = [
+    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+    "https://developer.okta.com/docs/reference/api/system-log/",
+    "https://developer.okta.com/docs/reference/api/event-types/",
+]
+risk_score = 21
+rule_id = "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd"
+severity = "low"
+tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
+type = "query"
+
+query = '''
+event.dataset:okta.system and event.action:policy.rule.delete
+'''
+
@@ -7,9 +7,9 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An
-adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an
-organization's security controls.
+Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a
+network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network
+zone in order to remove or weaken an organization's security controls.
 """
 false_positives = [
    """
@@ -20,9 +20,10 @@ false_positives = [
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
-name = "Attempt to Modify Okta Network Zone"
-note = "The Okta Filebeat module must be enabled to use this rule."
+name = "Attempt to Modify an Okta Network Zone"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
+    "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
 ]
@@ -33,6 +34,6 @@ tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Netwo
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist)
+event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)
 '''

@@ -7,9 +7,9 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example,
-an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the
-authentication requirements for user accounts.
+Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an
+organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication
+(MFA) policy in order to weaken the authentication requirements for user accounts.
 """
 false_positives = [
    """
@@ -20,8 +20,8 @@ false_positives = [
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
-name = "Attempt to Modify Okta Policy"
-note = "The Okta Filebeat module must be enabled to use this rule."
+name = "Attempt to Modify an Okta Policy"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
@@ -35,4 +35,3 @@ type = "query"
 query = '''
 event.dataset:okta.system and event.action:policy.lifecycle.update
 '''
-
@@ -7,8 +7,8 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may attempt to modify an Okta multi-factor authentication (MFA) rule in order to remove or weaken an
-organization's security controls.
+Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order
+to weaken an organization's security controls.
 """
 false_positives = [
    """
@@ -19,9 +19,10 @@ false_positives = [
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
-name = "Attempt to Modify Okta MFA Rule"
-note = "The Okta Filebeat module must be enabled to use this rule."
+name = "Attempt to Modify an Okta Policy Rule"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
+    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
 ]
@@ -32,6 +33,6 @@ tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Ident
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete)
+event.dataset:okta.system and event.action:policy.rule.update
 '''

@@ -7,8 +7,8 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an
-organization's security controls.
+Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or
+delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.
 """
 false_positives = [
    """
@@ -20,8 +20,9 @@ index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
 name = "Modification or Removal of an Okta Application Sign-On Policy"
-note = "The Okta Filebeat module must be enabled to use this rule."
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
+    "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
 ]
@@ -7,15 +7,15 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from
-IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential
+Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP
+addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential
 based attacks against their organization, such as brute force and password spraying attacks.
 """
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
 name = "Threat Detected by Okta ThreatInsight"
-note = "The Okta Filebeat module must be enabled to use this rule."
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
@@ -7,27 +7,29 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions
-to compromised user accounts.
+Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator
+privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access
+to their target organization.
 """
 false_positives = [
    """
-    Consider adding exceptions to this rule to filter false positives if administrator privileges are regularly assigned
-    to Okta groups in your organization.
+    Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected.
+    Exceptions can be added to this rule to filter expected behavior.
    """,
 ]
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
-name = "Administrator Privileges Assigned to Okta Group"
-note = "The Okta Filebeat module must be enabled to use this rule."
+name = "Administrator Privileges Assigned to an Okta Group"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
+    "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
 ]
-risk_score = 21
+risk_score = 47
 rule_id = "b8075894-0b62-46e5-977c-31275da34419"
-severity = "low"
+severity = "medium"
 tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
 type = "query"

@@ -7,9 +7,9 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve
-their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling
-security rules or policies.
+Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an
+organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute
+techniques such as creating user accounts or disabling security rules or policies.
 """
 false_positives = [
    """
@@ -21,14 +21,14 @@ index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
 name = "Attempt to Create Okta API Token"
-note = "The Okta Filebeat module must be enabled to use this rule."
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
 ]
-risk_score = 21
+risk_score = 47
 rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5"
-severity = "low"
+severity = "medium"
 tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
 type = "query"

@@ -7,8 +7,8 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may deactivate multi-factor authentication (MFA) for an Okta user account in order to weaken the
-authentication requirements for the account.
+Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for
+an Okta user account in order to weaken the authentication requirements for the account.
 """
 false_positives = [
    """
@@ -19,8 +19,8 @@ false_positives = [
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
-name = "Attempt to Deactivate MFA for Okta User Account"
-note = "The Okta Filebeat module must be enabled to use this rule."
+name = "Attempt to Deactivate MFA for an Okta User Account"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
@@ -7,8 +7,9 @@ updated_date = "2020/10/26"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary may attempt to remove the multi-factor authentication (MFA) factors registered on an Okta user's account in
-order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.
+Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt
+to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend
+in with normal activity in the victim's environment.
 """
 false_positives = [
    """
@@ -19,8 +20,8 @@ false_positives = [
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License"
-name = "Attempt to Reset MFA Factors for Okta User Account"
-note = "The Okta Filebeat module must be enabled to use this rule."
+name = "Attempt to Reset MFA Factors for an Okta User Account"
+note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
@@ -48,4 +49,3 @@ reference = "https://attack.mitre.org/techniques/T1098/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-