Set up the okta integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.
Strategy
This rule lets you monitor the following Okta event to determine when a user’s MFA factors are reset:
user.mfa.factor.reset_all
An attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.
Triage and response
- Determine if the user:
{{@usr.email}} should have reset the MFA factors of the targeted user. - If the change was not made by the user:
- Disable the affected user accounts.
- Rotate user credentials.
- Return targeted users MFA factors to the last known good state.
- Begin your organization’s incident response process and investigate.
- If the change was made by the user:
- Determine if the user was authorized to make that change.
- If Yes, ensure the targeted user has new MFA factors assigned in accordance with organization policies.
- If No, verify there are no other signals from the Okta administrator:
{{@usr.email}}.
