heroui logo

Attempt to Deactivate an Okta Policy Rule

Elastic Detection Rules

View Source
Summary
This rule is designed to detect attempts to deactivate rules within Okta policies, which is significant as such actions can indicate an adversary's effort to undermine security controls. The deactivation of policies may allow unauthorized access or escalate privileges by circumventing mechanisms like multi-factor authentication. The rule analyzes logs captured from the Okta integration to identify actionable events and gather contextual information about the actor's activities. Investigation should focus on validating the legitimacy of the deactivation attempt, understanding the actor's usual behavior, and checking for unusual patterns or successful logins following a deactivation attempt. It is crucial to respond appropriately to unauthorized actions by initiating incident response protocols and potentially locking user accounts involved in unauthorized activities. The rule also includes guidance on navigating false positives that may occur due to legitimate administrative actions and specifics around Okta's system behavior.
Categories
  • Identity Management
  • Cloud
  • AWS
  • Azure
  • Containers
Data Sources
  • User Account
  • Application Log
  • Cloud Service
ATT&CK Techniques
  • T1562
  • T1562.007
Created: 2020-05-21