The Okta Support Reset Credential detection rule, identified as "Okta.Support.Reset", monitors for high-severity events where Okta Support performs password or MFA resets on user accounts. This rule triggers when a reset action is logged in Okta's System Log, indicating potential malicious activity or unauthorized access. The rule is particularly sensitive as it pertains to account resets that could be a vector for initial access or other malicious activities, hence the classification within the 'Initial Access: Trusted Relationship' category of the MITRE ATT&CK framework (TA0001:T1199). The detection is based on specific event types logged when account resets are performed, and it looks for indicators of unwanted resets such as resets not executed by company administrators, thus distinguishing between legitimate support interactions and potentially harmful actions. The expected behavior and outcomes are defined based on automated tests run against Okta's event logging to ensure that detection accuracy maintains high standards while not overlooking sanctioned actions.