This detection rule is designed to identify unauthorized attempts to delete policy rules within an Okta security setup. Deleting such rules poses a significant risk as it may weaken security controls and allow adversaries to gain unauthorized access or undertake malign activities. The rule searches for the specific event where a policy rule deletion action is executed within the Okta system, highlighting potential defense evasion tactics used by attackers. The alerting mechanism relies on parsing logs generated from the Okta service via the Okta Fleet integration and Filebeat module. The analysis encourages thorough investigation by reviewing several actor-specific fields available in the logs, which can provide further insight into the actor's identity, device, attempts, and the surrounding context of the action. Recommendations for incident response and remediation are provided in the rule, emphasizing immediate protective measures for identified compromised accounts and reinforcing organizational security practices.