Okta MFA Reset or Deactivated
Detects when an attempt at deactivating or resetting MFA.
Sigma rule (View on GitHub)
1title: Okta MFA Reset or Deactivated
2id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
3status: test
4description: Detects when an attempt at deactivating or resetting MFA.
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://developer.okta.com/docs/reference/api/event-types/
8author: Austin Songer @austinsonger
9date: 2021/09/21
10modified: 2022/10/09
11tags:
12 - attack.persistence
13 - attack.credential_access
14 - attack.defense_evasion
15 - attack.t1556.006
16logsource:
17 product: okta
18 service: okta
19detection:
20 selection:
21 eventtype:
22 - user.mfa.factor.deactivate
23 - user.mfa.factor.reset_all
24 condition: selection
25falsepositives:
26 - If a MFA reset or deactivated was performed by a system administrator.
27level: medium
References
Related rules
- UAC Bypass With Fake DLL
- Time Travel Debugging Utility Usage
- File Time Attribute Change
- Okta API Token Created
- Okta Admin Role Assigned to an User or Group