This detection rule monitors and alerts on attempts to deactivate an Okta policy, which can be indicative of malicious intent aiming to weaken organizational security controls. Policies in Okta, especially those related to multi-factor authentication (MFA), play a crucial role in safeguarding user access. An adversary may seek to deactivate such policies to lower authentication requirements and facilitate unauthorized access. The rule utilizes logs from the Okta system to detect specific events tied to policy deactivation. Investigative steps include examining the actor's identity, client details, outcomes, and patterns of behavior surrounding the event. The rule also provides guidance on how to respond to potential security incidents arising from such deactivation attempts, including necessary actions like locking affected accounts and resetting MFA tokens.