
Summary
This rule is designed to detect modifications or deletions of policies within the Okta identity management system by monitoring relevant event types in real time. Specifically, the rule queries the Okta logs to find any events that indicate a lifecycle update or deletion of a policy, occurring within the last two hours. This is crucial for organizations relying on Okta for identity governance, as changes to policies can have significant implications on security and access controls. Unmonitored modifications or deletions may indicate unauthorized access or manipulation attempts, thus appropriate alerts should be generated for such actions. The rule leverages the event types 'policy.lifecycle.update' and 'policy.lifecycle.delete' to ensure that only relevant events trigger alerts, ensuring efficient monitoring while minimizing noise from less significant log entries.
Categories
- Application
- Identity Management
Data Sources
- Application Log
ATT&CK Techniques
- T1078
Created: 2024-02-09