This detection rule focuses on monitoring changes to sign-on policies within Okta, specifically when a policy for an application has been updated or deleted. The logic established checks for events logged in the last two hours where the event type corresponds to either an update to a sign-on policy or the deletion of a rule from a sign-on policy. This is essential for detecting unauthorized modifications that could enable persistence or privilege escalation by malicious actors. It leverages Okta's event logs to ensure timely detection and response to potentially suspicious changes that could impact an organization's security posture.