This threat detection rule is designed to detect attempts to modify Okta network zones, which are essential for managing access based on IP addresses or geographical locations. Attackers may attempt to alter these zones to weaken an organization's security posture, allowing unauthorized access to sensitive resources. The rule captures actions related to modifying (updating/deleting) Okta network zones by querying specific event actions within the Okta system logs. Key investigation steps include analyzing actor details, reviewing client/user agent information, and verifying the outcome of the modification attempts. Additionally, an assessment of the historical behavior of the actor is vital to identify potential unauthorized access. Proper monitoring and incident response measures are emphasized, including possibly locking affected accounts and reevaluating MFA setups. Overall, the rule contributes to enhancing security by monitoring key modifications within the Okta environment, targeting weaknesses that adversaries may exploit.