This detection rule aims to identify attempts to reset multi-factor authentication (MFA) factors for an Okta user account, which is a significant security risk. An adversary might exploit the MFA reset functionality to register new MFA factors, potentially gaining unauthorized access while masquerading as the legitimate account holder. The detection leverages Okta system events, particularly monitoring the 'user.mfa.factor.reset_all' actions within the event dataset specific to Okta. This indicator allows security teams to flag activities that seem to indicate account manipulation or adverse behavior. Given that administrative resets may occur, the rule proposes the creation of exceptions for false positive scenarios while emphasizing the need for investigation of any flagged events to discern legitimate user activity from potential threats.