From f438a222d5508fb65dd97f7fb22fce5a8a830fa4 Mon Sep 17 00:00:00 2001
From: David French <56409778+threat-punter@users.noreply.github.com>
Date: Thu, 2 Jul 2020 08:52:55 -0600
Subject: [PATCH] [New Rule] Attempt to Modify or Delete Okta Application Sign
 On Policy (#10)

* Add okta rule for policy modification/delete

* Update rule name

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add event.module value to query

* Update okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Add event.category and event.type values to query

* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
---
 ..._or_delete_application_sign_on_policy.toml | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

diff --git a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
new file mode 100644
index 000000000..f255af906
--- /dev/null
+++ b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
@@ -0,0 +1,35 @@
+[metadata]
+creation_date = "2020/07/01"
+ecs_version = ["1.5.0"]
+maturity = "production"
+updated_date = "2020/07/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an
+organization's security controls.
+"""
+false_positives = [
+    """
+    Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are
+    regularly modified or deleted in your organization.
+    """,
+]
+index = ["filebeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Modification or Removal of an Okta Application Sign-On Policy"
+references = [
+    "https://developer.okta.com/docs/reference/api/system-log/",
+    "https://developer.okta.com/docs/reference/api/event-types/",
+]
+risk_score = 47
+rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe"
+severity = "medium"
+tags = ["Elastic", "Okta"]
+type = "query"
+
+query = '''
+event.module:okta and event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)
+'''