Okta MFA reset for user

Set up the okta integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.

Strategy

This rule lets you monitor the following Okta event to determine when a user’s MFA factors are reset:

  • user.mfa.factor.reset_all

An attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.

Triage and response

  1. Determine if the user: {{@usr.email}} should have reset the MFA factors of the targeted user.
  2. If the change was not made by the user:
    • Disable the affected user accounts.
    • Rotate user credentials.
    • Return targeted users MFA factors to the last known good state.
    • Begin your organization’s incident response process and investigate.
  3. If the change was made by the user:
    • Determine if the user was authorized to make that change.
    • If Yes, ensure the targeted user has new MFA factors assigned in accordance with organization policies.
    • If No, verify there are no other signals from the Okta administrator: {{@usr.email}}.
PREVIEWING: rtrieu/product-analytics-ui-changes