This detection rule is designed to identify updates to Multi-Factor Authentication (MFA) settings in Okta by a user. The detection focuses on the event type `user.mfa.factor.update`, which signals that a user has changed their MFA settings. Such actions can be indicative of lateral movement or an attempt to evade defenses, particularly by threat actors associated with groups like LUCR-3 and Scattered Spider (also known as 0ktapus and UNC3944). The rule utilizes Splunk queries to extract relevant authentication data, including source and destination user details, timestamps, and IP addresses. It aggregates events within a one-second interval to provide a clearer view of MFA change activities, which can assist in identifying suspicious user behavior linked to potential compromise.