Skip to content

Latest commit

 

History

History
32 lines (25 loc) · 971 Bytes

MATCH-S00767.md

File metadata and controls

32 lines (25 loc) · 971 Bytes

Rules: Okta MFA Device Reset

Description

An accounts multi-factor authentication (MFA) device has been reset. This can indicate an attacker attempting to bypass or intercept MFA for an account which they have already compromised.

Additional Details

Detail Value
Type Templated Match
Category Credential Access
Apply Risk to Entities user_username, srcDevice_ip
Signal Name Okta MFA Device Reset
Summary Expression MFA device reset for user {{user_username}}
Score/Severity Static: 3
Enabled by Default True
Prototype False
Tags _mitreAttackTactic:TA0006, _mitreAttackTechnique:T1111

Vendors and Products

Fields Used

Origin Field
Normalized Schema metadata_deviceEventId
Normalized Schema metadata_product
Normalized Schema metadata_vendor
Normalized Schema srcDevice_ip
Normalized Schema user_username