heroui logo

MFA Deactivation with no Re-Activation for Okta User Account

Elastic Detection Rules

View Source
Summary
The detection rule focuses on identifying instances where multi-factor authentication (MFA) has been deactivated for an Okta user account without subsequent reactivation within a 12-hour window. This scenario is significant as it indicates a potential attack vector where an adversary might deactivate MFA to reduce authentication security, making it easier to access the compromised account. The rule utilizes an EQL query to monitor the Okta system logs for events indicative of this behavior. If the alert is triggered, a thorough investigation is necessary to ascertain whether the deactivation was expected or if it highlights a security breach. The investigation involves reviewing user activity related to the alert, such as checking who performed the deactivation and whether any suspicious login activities occurred since the deactivation. Depending on the outcomes of the investigation, appropriate response measures include corrective actions such as resetting passwords and re-enabling MFA, especially if the deactivation was not authorized.
Categories
  • Identity Management
  • Cloud
Data Sources
  • User Account
  • Application Log
  • Cloud Service
ATT&CK Techniques
  • T1556
  • T1556.006
Created: 2020-05-20