Detection rules › YARA-L
Okta User Password and MFA Factor Reset or Deactivated
Detects when an Okta user's password is reset and MFA factor(s) are deactivated or reset within a 30 minute time window. This activity may indicate that the user account has been compromised.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1556.006 Modify Authentication Process: Multi-Factor Authentication |
| Credential Access | T1556.006 Modify Authentication Process: Multi-Factor Authentication |
References
Event coverage
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- Attempt to Reset MFA Factors for an Okta User Account (Elastic)
- MFA Deactivation with no Re-Activation for Okta User Account (Elastic)
- New Device/Location sign-in along with critical operation (Kusto)
- Okta Investigate MFA and Password resets (Panther)
- Okta MFA Reset or Deactivated (Sigma)
- Okta Support Reset Credential (Panther)
Rule body yaral
/*
* Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule okta_user_password_and_mfa_factor_reset_or_deactivated {
meta:
author = "Drew Pilarski - Tempus AI"
description = "Detects when an Okta user's password is reset and MFA factor(s) are deactivated or reset within a 30 minute time window. This activity may indicate that the user account has been compromised."
rule_id = "mr_a4344fef-2310-4fed-8f3a-8e76237cfc1f"
rule_name = "Okta User Password and MFA Factor Reset or Deactivated"
reference = "https://developer.okta.com/docs/reference/api/event-types/"
mitre_attack_tactic = "Credential Access, Defense Evasion, Persistence"
mitre_attack_technique = "Modify Authentication Process: Multi-Factor Authentication"
mitre_attack_url = "https://attack.mitre.org/techniques/T1556/006/"
type = "Alert"
platform = "Okta"
data_source = "Okta"
severity = "Medium"
priority = "Medium"
events:
$pw.metadata.product_name = "Okta"
$pw.metadata.vendor_name = "Okta"
(
$pw.metadata.product_event_type = "user.mfa.factor.reset_all" OR
$pw.metadata.product_event_type = "user.mfa.factor.deactivate"
)
$user_id = $pw.target.user.product_object_id
$mfa.metadata.product_name = "Okta"
$mfa.metadata.vendor_name = "Okta"
$mfa.metadata.product_event_type = "user.account.reset_password"
$user_id = $mfa.target.user.product_object_id
match:
$user_id over 30m
outcome:
$principal_user_email = array_distinct($pw.principal.user.email_addresses)
$principal_ip = array_distinct($pw.principal.ip)
$risk_score = 65
$mitre_attack_tactic = array_distinct("Credential Access, Defense Evasion, Persistence")
$mitre_attack_technique = array_distinct("Modify Authentication Process: Multi-Factor Authentication")
$mitre_attack_technique_id = array_distinct("T1556.006")
condition:
$pw and $mfa
}
Detection logic
Fires when at least one $pw event in the 30m window and at least one $mfa event in the 30m window.
Events
$mfa
metadata.product_event_type = "user.account.reset_password"
$pw
metadata.product_event_type = "user.mfa.factor.reset_all" or "user.mfa.factor.deactivate"
Correlation
Outcome
Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.
| Field | Expression |
|---|---|
principal_user_email | array_distinct($pw.principal.user.email_addresses) |
principal_ip | array_distinct($pw.principal.ip) |
risk_score | 65 |