consider adding exceptions to this rule to filter false positives if the mfa factors for okta user accounts are regularly reset in your organization.

t1098
okta
elastic

Techniques

T1098

Sample rules

Attempt to Reset MFA Factors for an Okta User Account

source: elastic
technicques:
- T1098

Description

Detects attempts to reset an Okta user’s enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user’s account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim’s environment.

Detection logic

event.dataset:okta.system and event.action:user.mfa.factor.reset_all