This detection rule is designed to identify when a user has suspended a multi-factor authentication (MFA) factor within the Okta identity management platform. The purpose of this rule is to monitor actions taken against MFA factors, specifically focusing on suspensions initiated by users or administrators. The rule leverages logging data from the Okta System Log to gather contextual information regarding the user’s actions, authentication context, device used, and geographic location. When a user requests the suspension of a factor, such as a SIGNED_NONCE, this event is logged with details including the user's identity, their IP address, and the outcome of the requested action. The detection is triggered when specific logging events indicating the suspension of MFA factors occur, allowing administrators to investigate potential security implications or policy violations. Depending on the context, the suspension of MFA factors could signal a potential account compromise or benign administrative action, hence its classification with a high severity level. The rule also incorporates a deduplication mechanism to prevent multiple alerts for the same suspension event within a specified time frame.