diff --git a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
new file mode 100644
index 00000000000..f255af9067b
--- /dev/null
+++ b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
@@ -0,0 +1,35 @@
+[metadata]
+creation_date = "2020/07/01"
+ecs_version = ["1.5.0"]
+maturity = "production"
+updated_date = "2020/07/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an
+organization's security controls.
+"""
+false_positives = [
+    """
+    Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are
+    regularly modified or deleted in your organization.
+    """,
+]
+index = ["filebeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Modification or Removal of an Okta Application Sign-On Policy"
+references = [
+    "https://developer.okta.com/docs/reference/api/system-log/",
+    "https://developer.okta.com/docs/reference/api/event-types/",
+]
+risk_score = 47
+rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe"
+severity = "medium"
+tags = ["Elastic", "Okta"]
+type = "query"
+
+query = '''
+event.module:okta and event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)
+'''