For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/8c6-2a6-515.md. A documentation index is available at /llms.txt.

Okta MFA Bypass Attempted

okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1111-multi-factor-authentication-interception

Goal

Detect when a user attempts to bypass multi-factor authentication (MFA).

Strategy

This rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:

  • user.mfa.attempt_bypass

Triage and response

Contact the user who attempted to bypass MFA and ensure the request was legitimate.