This detection rule monitors for unauthorized attempts to modify rules within Okta policies—an action that potential adversaries may take to compromise an organization’s security posture. The rule is designed to trigger alerts when modifications are made to policy rules in Okta, which can indicate malicious intent, particularly if such modifications are not in line with the organization’s established practices. Key investigation steps include reviewing the actor information, examining user agent data, checking outcome results, and assessing login activity surrounding modification attempts. Addressing false positives is critical, as legitimate MFA changes may also trigger alerts. If unauthorized modifications are confirmed, immediate incident response actions are initiated, including account lockdowns and MFA reassessments. This rule underscores the importance of continuous monitoring and proactive security measures within identity and access management frameworks, especially in cloud environments like Okta.