heroui logo

Okta MFA Reset or Deactivated

Sigma Rules

View Source
Summary
The Okta MFA Reset or Deactivated rule is designed to detect potentially unauthorized actions where a user attempts to deactivate or reset their Multi-Factor Authentication (MFA) settings in the Okta identity management service. This can indicate a serious security issue, as an attacker may try to reset the MFA to gain unauthorized access to user accounts. The detection is triggered by specific event types related to user MFA actions, specifically 'user.mfa.factor.deactivate' and 'user.mfa.factor.reset_all'. Appropriate entries in the system log from the Okta API indicate that these actions have been performed. This rule has a medium severity level, suggesting that although it is significant, it is not necessarily indicative of an immediate breach without further context.
Categories
  • Identity Management
  • Cloud
Data Sources
  • User Account
  • Application Log
Created: 2021-09-21