Techniques
Sample rules
Okta Multi-Factor Authentication Disabled
- source: splunk
- technicques:
- T1556.006
Description
The following analytic identifies an attempt to disable multi-factor authentication (MFA) for an Okta user. It leverages OktaIM2 logs to detect when the ‘user.mfa.factor.deactivate’ command is executed. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised valid account. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access to sensitive information and prolonged undetected presence in the network.
Detection logic
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime FROM datamodel=Change
WHERE sourcetype="OktaIM2:log" All_Changes.object_category=User
AND
All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate
BY All_Changes.user All_Changes.result All_Changes.command
sourcetype All_Changes.src All_Changes.dest
| `drop_dm_object_name("All_Changes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_multi_factor_authentication_disabled_filter`