Techniques
Sample rules
MFA Deactivation with no Re-Activation for Okta User Account
- source: elastic
- technicques:
- T1556
Description
Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.
Detection logic
sequence by okta.actor.id with maxspan=12h
[any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.deactivate"
and okta.outcome.result == "SUCCESS" and not okta.client.user_agent.raw_user_agent like "SFDC-Callout*"]
![any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.activate"]