if the behavior of deactivating mfa for okta user accounts is expected, consider adding exceptions to this rule to filter false positives.

t1556
okta
elastic

Techniques

T1556

Sample rules

MFA Deactivation with no Re-Activation for Okta User Account

source: elastic
technicques:
- T1556

Description

Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.

Detection logic

sequence by okta.actor.id with maxspan=12h
    [any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.deactivate"
        and okta.outcome.result == "SUCCESS" and not okta.client.user_agent.raw_user_agent like "SFDC-Callout*"]
    ![any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.activate"]