valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update okta_application_modified_or_deleted.yml

Browse Source
This commit is contained in:
Austin Songer 2021-09-12 20:19:57 -05:00 committed by GitHub
parent 9f70336879
commit 45b6ac72ee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
rules/cloud/okta/okta_application_modified_or_deleted.yml
View File

@ -1,11 +1,9 @@
NOT READY YET
title: Okta
id:
description: Detects when an
title: Okta Application Modified or Deleted
id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
description: Detects when an application is modified or deleted.
author: Austin Songer
status: experimental
date: 2021/
date: 2021/09/12
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
@ -14,16 +12,12 @@ logsource:
detection:
selection:
eventtype:
-
-
displaymessage:
-
-
- application.lifecycle.update
- application.lifecycle.delete
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Okta <Placeholder> being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Unknown