This detection rule monitors attempts to modify or delete sign-on policies for Okta applications, a potential tactic employed by adversaries to weaken an organization's security controls. By alerting on changes in the sign-on policies, security teams can identify unauthorized modifications that may compromise authentication measures. The rule utilizes events from Okta's system logs to catch actions such as 'application.policy.sign_on.update' and 'application.policy.sign_on.rule.delete'. Security analysts should conduct thorough investigations of flagged events, considering false positives arising from legitimate administrative actions. The response process involves reviewing logs, reverting unauthorized changes, and possibly disabling affected applications to maintain security integrity. Recommendations for mitigating false positives and preventing future incidents are also included.