This detection rule identifies when a user's Multi-Factor Authentication (MFA) settings in Okta have been either deactivated or reset within the last two hours. This activity is significant and warrants investigation, as it may indicate attempts by threat actors associated with groups such as LUCR-3, Lapsus$, and Scattered Spider (0ktapus, UNC3944) to compromise user accounts by manipulating MFA settings, which can lead to unauthorized access and potential data breaches. The detection is executed through a Snowflake SQL query that inspects the Okta logs. It queries the event log for specific event types related to MFA deactivation or reset, ensuring rapid response to such potential threats.