This rule is designed to detect attempts to deactivate an Okta network zone, which are configurations that restrict access based on IP addresses or geolocations. An adversary might seek to deactivate such zones to undermine security controls within an organization, presenting a vulnerable attack surface. The rule incorporates a query that identifies deactivation events by monitoring Okta's system logs for specific action signals. The detection is achieved using KQL in the context of logs indexed by Filebeat. The rule has a medium severity rating and is part of a broader risk management and defensive strategy, linking to tactics of defense evasion as per the MITRE ATT&CK framework. Additionally, false positives can occur, especially in environments where legitimate administrative changes are common, hence the recommendation to establish proper context before taking action.