This rule detects attempts to delete Okta policies, which are essential for managing user access and enforcing security measures. The deletion of a policy could signal an effort to weaken an organization’s security framework, such as removing Multi-Factor Authentication (MFA) policies to facilitate unauthorized access. The detection mechanism utilizes the KQL query to monitor events from Okta where policy lifecycle deletions occur. In investigating, analysts are guided to examine specific fields in the alert, including actor identifiers and outcomes related to the deletion attempt, while also noting potential false positives that might arise from legitimate operational changes or system issues. The rule suggests relevant responses, including initiating incident response protocols if unauthorized activities are confirmed, or ensuring adherence to security best practices. The rule is categorized under medium severity and targets defense evasion tactics as per the MITRE ATT&CK framework.