From 45b6ac72eeb1c0cbe38dee923431066b509094e3 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 12 Sep 2021 20:19:57 -0500
Subject: [PATCH] Update okta_application_modified_or_deleted.yml

---
 .../okta_application_modified_or_deleted.yml  | 22 +++++++------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml
index ca73d4f7..63401971 100644
--- a/rules/cloud/okta/okta_application_modified_or_deleted.yml
+++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml
@@ -1,11 +1,9 @@
-NOT READY YET
-
-title: Okta 
-id: 
-description: Detects when an
+title: Okta Application Modified or Deleted
+id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
+description: Detects when an application is modified or deleted.
 author: Austin Songer
 status: experimental
-date: 2021/
+date: 2021/09/12
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
@@ -14,16 +12,12 @@ logsource:
 detection:
     selection:
         eventtype: 
-            - 
-            - 
-        displaymessage:
-            - 
-            -
+            - application.lifecycle.update
+            - application.lifecycle.delete
     condition: selection
 level: medium
 tags:
     - attack.impact
 falsepositives:
- - Okta <Placeholder> being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Okta <Placeholder> modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+ - Unknown
+