Detects when an Okta service application (actor.type = PublicClientAppEntity) deactivates a user’s MFA factor via the Okta SystemLog. This action is rarely benign and can indicate credential compromise or attacker-granted okta.factors.manage scope used to weaken authentication before takeover. The rule surfaces events of type user.mfa.factor.deactivate, capturing the actor (displayName/id), source IP (client.ipAddress), target user (alternateId), and the removed MFA factor (outcome.reason). It maps to MITRE ATT&CK T1556.006 (Modify Authentication Process). The runbook describes multi-stage correlation: (1) extract actor, source IP, target user, and factor type from alert_context; (2) query Okta system logs for the 4 hours prior for client_credentials grant events and admin consent involving the actor to determine if the okta.factors.manage scope was sanctioned and by which admin; (3) query logs from the event time up to now (capped at 2 hours) for user.mfa.factor.activate, device.user.add, or new-IP user.session.start events for the target user, since attackers often enroll a new factor within minutes of deletion. If the window is under 30 minutes with zero matching rows, flag as pending and schedule follow-up. Deduplication is 60 minutes. This rule supports threat detection in identity management and cloud identity environments, and is relevant for investigations of credential access and defense evasion involving authentication processes.