This detection rule identifies attempts to delete an Okta application, which could indicate malicious activity aimed at compromising organizational security. The rule focuses on actions logged by Okta that pertain to application lifecycle management, specifically deletions. Organizations rely on Okta for identity management, making application integrity crucial for security. Deletion attempts can disrupt business operations or compromise security controls, prompted by potential adversarial actions. Monitoring such activities allows security analysts to assess and respond to potential threats effectively. The detection logic utilizes a KQL query that looks for specific dataset and action types related to Okta application deletions. Investigation steps are outlined to ascertain the legitimacy of the actions captured by this rule, including validating user permissions, analyzing event timestamps, and correlating with other security events. The rule also includes recommendations for managing potential false positives typically caused by maintenance activities or user lifecycle changes. This practice underscores the importance of contextual understanding when analyzing security alerts, particularly in multi-user identity environments such as Okta.