This detection rule identifies attempts to deactivate an Okta application, which may indicate malicious activity aimed at undermining organizational security measures or disrupting business operations. The rule leverages specific event data from Okta to identify any unsuccessful or unauthorized deactivation attempts, which could pose serious risks. Investigative steps include examining actor fields, client details, and the context of the event to confirm the legitimacy of the action. False positives are addressed by analyzing the context of the action and the actor's authorization level. The response includes incident response procedures if unauthorized activity is confirmed.