This detection rule tracks scenarios where all Multi-Factor Authentication (MFA) factors for an Okta user account have been reset. The primary focus is to identify potential security events related to user MFA configurations, which can indicate unauthorized access attempts or administrative changes. The rule is triggered if there is an action logged with the event type `user.mfa.factor.reset_all`, representing the complete reset of all MFA factors for a specific user. The rule collects various context data including the user involved in the action, the date and time of the reset, the IP address from which the request originated, and the geographical details of that IP address. Additional logs also capture user agent details and any potential request errors or anomalies surrounding the reset action. A secondary condition reviews interactions with rate-limiting to understand if there is an unusual pattern occurring during these resets. This results in a comprehensive view of MFA reset actions, aiding in identifying potential security issues arising from such administrative activities.