This detection rule identifies potential attempts to modify Okta policies, which may indicate an adversary trying to weaken an organization's security controls, such as reducing multi-factor authentication (MFA) requirements. The rule leverages data from the Okta system logs, specifically looking for events categorized as policy lifecycle updates. With a risk score of 21 and categorized under the 'Defense Evasion' tactic (MITRE ATT&CK T1562), the rule employs a KQL query to monitor for relevant actions. Investigative steps include analyzing the actor's identity, their client details during the event, and the specific nature of policy modifications. False positives may occur, particularly in organizations that regularly update Okta policies, warranting a review of the actor's permissions and location to ensure the legitimacy of the changes. The rule is designed to be integrated with filebeat and requires specific data formatting to function correctly. If unauthorized modifications are verified, it calls for immediate incident response protocols such as locking accounts and enforcing password changes.