Okta MFA Reset or Deactivated

 1title: Okta MFA Reset or Deactivated
 2id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
 3status: test
 4description: Detects when an attempt at deactivating  or resetting MFA.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://developer.okta.com/docs/reference/api/event-types/
 8author: Austin Songer @austinsonger
 9date: 2021/09/21
10modified: 2022/10/09
11tags:
12    - attack.persistence
13    - attack.credential_access
14    - attack.defense_evasion
15    - attack.t1556.006
16logsource:
17    product: okta
18    service: okta
19detection:
20    selection:
21        eventtype:
22            - user.mfa.factor.deactivate
23            - user.mfa.factor.reset_all
24    condition: selection
25falsepositives:
26    - If a MFA reset or deactivated was performed by a system administrator.
27level: medium

References

• System Log | Okta Developer

  

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

• Event Types | Okta Developer

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

Related rules

• UAC Bypass With Fake DLL
• Time Travel Debugging Utility Usage
• File Time Attribute Change
• Okta API Token Created
• Okta Admin Role Assigned to an User or Group