Okta user's MFA factors reset followed by access to the administrative console

okta

Classification:

attack

Set up the okta integration.

Goal

Detect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset followed by that user accessing the administrative console.

Strategy

This rule lets you monitor the following Okta events to determine when a user’s MFA factors are reset and they access the administrative console:

  • user.mfa.factor.reset_all
  • user.session.access_admin_app

Okta’s security team reported a series of social engineering attacks in which attackers would convince service desk staff to reset the MFA factors of highly-privileged users, and leverage this to access administrative features within an Okta tenant.

Triage and response

  1. Contact the user {{@usr.email}} to ensure the change to their MFA factors was authorized and it was them accessing the administrative console.
  2. If the user was unaware of the activity:
    • Determine if any other activity occurred from this user. Look for deviations in user agents, IP addresses, and network metadata.
    • Begin your organization’s incident response process and investigate for any account takeovers.