if the behavior of deactivating mfa for okta user accounts is expected, consider adding exceptions to this rule to filter false positives.

t1556
okta
elastic

Techniques

T1556

Sample rules

MFA Deactivation with no Re-Activation for Okta User Account

source: elastic
technicques:
- T1556

Description

Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.

Detection logic

sequence by okta.actor.id with maxspan=12h
    [any where event.dataset == "okta.system" and okta.event_type in ("user.mfa.factor.deactivate", "user.mfa.factor.reset_all")
        and okta.outcome.reason != "User reset SECURITY_QUESTION factor" and okta.outcome.result == "SUCCESS"]
    ![any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.activate"]