Rules: Okta - Policy Rule Added
An Okta policy rule has been added through the Okta admin application. The field "fields["target.1.displayName"]" contains the name of this rule for investigation purposes. Ensure that this activity is planned and performed by an authorized Okta administrator. Examine other generated signals for the user to further investigation activities.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Initial Access |
| Apply Risk to Entities | user_username, srcDevice_ip |
| Signal Name | Okta - Policy Rule Added |
| Summary Expression | Okta Policy Rule Added by {{user_username}} from {{srcDevice_ip}} |
| Score/Severity | Static: 2 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0001, _mitreAttackTechnique:T1078.004 |
| Origin | Field |
|---|---|
| Normalized Schema | description |
| Normalized Schema | metadata_vendor |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |