This rule detects suspicious activities indicative of credential compromise on Windows hosts related to Okta user accounts. It focuses on the sequence of events where an adversary gains unauthorized access to a user's login credentials, resets the multi-factor authentication (MFA) settings, and then logs into the Okta service using these stolen credentials. The analysis emphasizes potential social engineering tactics used in these attacks. In such cases, if MFA credentials are reset without the user’s knowledge, immediate incident response steps are necessary to prevent further unauthorized access. The rule investigates patterns from both endpoint events and Okta system logs, alerting for any actions that could signal a compromise followed by an attack on MFA or SSO mechanisms.