This analytic rule identifies instances where an Okta user attempts to disable multi-factor authentication (MFA), a critical security measure. The rule leverages logs from OktaIM2 to detect the execution of the 'user.mfa.factor.deactivate' command. Disabling MFA poses a significant threat as it may allow an attacker, who has compromised a valid account, to bypass a vital layer of security. Such an action can lead to unauthorized access to sensitive information and enable prolonged undetected presence within an organization's network. The detection rule is built to alert security teams of these potentially malicious actions, allowing for timely investigations and responses to protect user accounts and sensitive data.