Modification or Removal of an Okta Application Sign-On Policy

Elastic Stack Serverless Security

Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization’s security controls.

Rule type: query

Rule indices:

• filebeat-*
• logs-okta*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

• https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm
• https://developer.okta.com/docs/reference/api/system-log/
• https://developer.okta.com/docs/reference/api/event-types/
• https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy

Tags:

• Elastic
• Identity
• Okta
• Continuous Monitoring
• SecOps
• Identity and Access
• Persistence

Version: 102

Rule authors:

• Elastic

Rule license: Elastic License v2

event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Persistence
  • ID: TA0003
  • Reference URL: https://attack.mitre.org/tactics/TA0003/

• Technique:

  • Name: Modify Authentication Process
  • ID: T1556
  • Reference URL: https://attack.mitre.org/techniques/T1556/