Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1556-modify-authentication-process

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects an administrator issuing a temporary password followed by the reset of all MFA factors for the Okta user.

Strategy

This rule monitors Okta account recovery and factor administration events. Alerts when both user.account.expire_password and user.mfa.factor.reset_all succeed for the same account.

When an administrator expires a user password, there’s an option to generate a temporary password for the user which can be used by an attacker to login and set their own. When factors are reset, an attacker can also add multi-factor authentication devices. The detailed behavior can represent an account takeover especially when activity occurs from uncommon geo-location or hosting provider IP addresses.

The rule severity is increased if Datadog detects the IP address is associated with a hosting provider.

Triage & Response

1. Identify the permissions of the affected user, {{@target.alternateId}}, including if they have administrator privileges within your Okta instance.
2. Review internal tickets for evidence this change was associated with a related request.
3. Examine the source IP {{@network.client.ip}}, geo‑location, and associated domain.
4. If user activity is suspicious, begin your organization’s incident response process and investigate for any account takeovers.