[New Rule] okta_mfa_pw_reset

[barnabys-drew]

Description

This detection is looking for MFA and Password resets in a 30 minute window. This is suspicious given normal activity should only constitute a password reset OR MFA reset (ala a replacement phone)

Log Types

OKTA

YARA-L Rule

/*
 * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule okta_mfa_pw_reset {

  meta:
    author = "Drew Pilarski - Tempus AI"
    description = "This detection is looking for MFA and Password resets in a 30 minute window. This is suspicious given normal activity should only constitute a password reset OR MFA reset (ala a replacement phone)"
    notes = "https://developer.okta.com/docs/reference/api/event-types/"
    mitre_attack_tactic = "Credential Access, Defense Evasion, Persistence"
    mitre_attack_technique = "Modify Authentication Process: Multi-Factor Authentication"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1556/006/"
    mitre_attack_version = "v13.1"
    type = "Alert"
    data_source = "Okta"
    severity = "Medium"
    priority = "Medium"

  events:
    $pw.metadata.vendor_name = "Okta"
    $pw.metadata.product_event_type = "user.mfa.factor.reset_all"
    $prin_user = $pw.principal.user.email_addresses

    $mfa.metadata.vendor_name = "Okta"
    $mfa.metadata.product_event_type = "user.account.reset_password"
    $prin_user = $mfa.principal.user.email_addresses

    match:
      $prin_user over 30m
    

  outcome:
    $user = array_distinct($prin_user)
    $email = array_distinct($pw.principal.user.email_addresses)
    $src_ip = array_distinct($pw.principal.ip)
    $mitre_attack_tactic = "Credential Access, Defense Evasion, Persistence"
    $mitre_attack_technique = "Modify Authentication Process: Multi-Factor Authentication"
    $risk_score = 65

  condition:
    $pw and $mfa
}

References

No response

Test Data

{
  "actor": {
    "alternateId": "kevin.andersen@fake_buisness.com",
    "detailEntry": null,
    "displayName": "Kevin Andersen",
    "id": "00uecxxxzubOn7fJy297",
    "type": "User"
  },
  "authenticationContext": {
    "authenticationProvider": null,
    "authenticationStep": 0,
    "credentialProvider": null,
    "credentialType": null,
    "externalSessionId": "idxW9HW5CdxxxilZEpNIav6NQ",
    "interface": null,
    "issuer": null,
    "rootSessionId": "idxxxxW5CdLRhilZEpNIav6NQ"
  },
  "client": {
    "device": "Computer",
    "geographicalContext": {
      "city": "Chicago",
      "country": "United States",
      "geolocation": {
        "lat": 71.9025,
        "lon": -23.6726
      },
      "postalCode": "66666",
      "state": "Illinois"
    },
    "id": null,
    "ipAddress": "1.1.1.1",
    "userAgent": {
      "browser": "CHROME",
      "os": "Mac OS X",
      "rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36"
    },
    "zone": "null"
  },
  "debugContext": {
    "debugData": {
      "authnRequestId": "8a3bfe78f9ca993xxxbb24848bc6925b",
      "dtHash": "f94385c3cb17f7f3dxxxb850a59ba21beb9da088e0ee4b1ee2e9e7794fc5a78",
      "enrollmentMethodChallengeTime": "2025-01-27T15:43:23.628Z",
      "requestId": "8b14912369036cc94c3f6b72395c0268",
      "requestUri": "/idp/idx/challenge/answer",
      "threatSuspected": "false",
      "url": "/idp/idx/challenge/answer?"
    }
  },
  "device": null,
  "displayMessage": "Reset factor for user",
  "eventType": "user.mfa.factor.deactivate",
  "legacyEventType": "core.user.factor.deactivate",
  "outcome": {
    "reason": "User reset FIDO_WEBAUTHN factor",
    "result": "SUCCESS"
  },
  "published": "2025-01-27T15:43:27.062Z",
  "request": {
    "ipChain": [
      {
        "geographicalContext": {
          "city": "Chicago",
          "country": "United States",
          "geolocation": {
            "lat": 71.9025,
            "lon": -23.6726
          },
          "postalCode": "60622",
          "state": "Illinois"
        },
        "ip": "4.28.60.194",
        "source": null,
        "version": "V4"
      }
    ]
  },
  "securityContext": {
    "asNumber": 3356,
    "asOrg": "level 3 parent  llc",
    "domain": "level3.net",
    "isProxy": false,
    "isp": "level 3 parent  llc"
  },
  "severity": "INFO",
  "target": [
    {
      "alternateId": "kevin.andersen@fake_buisness.com",
      "detailEntry": null,
      "displayName": "Kevin Andersen",
      "id": "00uecvrpzubOn7fJy297",
      "type": "User"
    }
  ],
  "transaction": {
    "detail": {},
    "id": "8b1498b512336cc94c3f6b72395c0268",
    "type": "WEB"
  },
  "uuid": "732ab020-xxx5-11ef-8b71-532a73f95361",
  "version": "0"
}


{
  "actor": {
    "alternateId": "kevin.andersen@fake_buisness.com",
    "detailEntry": null,
    "displayName": "Kevin Andersen",
    "id": "00uls2l7yapHAG9ac297",
    "type": "User"
  },
  "authenticationContext": {
    "authenticationProvider": null,
    "authenticationStep": 0,
    "credentialProvider": null,
    "credentialType": null,
    "externalSessionId": "xxxGnr0oSKjQRWZD8gMYD3iBA",
    "interface": null,
    "issuer": null,
    "rootSessionId": "xxxGnr0oSKjQRWZD8gMYD3iBA"
  },
  "client": {
    "device": "Mobile",
    "geographicalContext": {
      "city": "Tokyo",
      "country": "Japan",
      "geolocation": {
        "lat": 95.6893,
        "lon": 39.6899
      },
      "postalCode": "151-0053",
      "state": "Tokyo"
    },
    "id": null,
    "ipAddress": "172.30.216.20",
    "userAgent": {
      "browser": "SAFARI",
      "os": "Mac OS X (iPhone)",
      "rawUserAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1.1 Mobile/15E148 Safari/604.1"
    },
    "zone": "null"
  },
  "debugContext": {
    "debugData": {
      "dtHash": "xxxf765f2b22fa5fa6783fd20ed42eb494ab90ccb21769fb89683c33735d24eb",
      "requestId": "xxxec192b617d9422a3cc7f0e1e74d0a",
      "requestUri": "/api/v1/authn/credentials/reset_password",
      "threatSuspected": "false",
      "traceId": "7d08e4ab-f028-4a02-9e26-6acc16cb1dc7",
      "tunnels": "[{\"anonymous\":true,\"operator\":\"ICLOUD_RELAY_PROXY\",\"type\":\"PROXY\"}]",
      "url": "/api/v1/authn/credentials/reset_password?"
    }
  },
  "device": null,
  "displayMessage": "Fired when the user's Okta password is reset",
  "eventType": "user.account.reset_password",
  "legacyEventType": "core.user_auth.self_service.password_reset",
  "outcome": {
    "reason": null,
    "result": "SUCCESS"
  },
  "published": "2025-01-26T21:55:30.879Z",
  "request": {
    "ipChain": [
      {
        "geographicalContext": {
          "city": "Tokyo",
          "country": "Japan",
          "geolocation": {
            "lat": 95.6893,
            "lon": 39.6899
          },
          "postalCode": "151-0053",
          "state": "Tokyo"
        },
        "ip": "172.226.216.48",
        "source": null,
        "version": "V4"
      }
    ]
  },
  "securityContext": {
    "asNumber": 36183,
    "asOrg": "akamai technologies  inc.",
    "domain": "akamaitechnologies.com",
    "isProxy": true,
    "isp": "akamai technologies  inc."
  },
  "severity": "INFO",
  "target": [
    {
      "alternateId": "kevin.andersen@fake_buisness.com",
      "detailEntry": null,
      "displayName": "Kevin Andersen",
      "id": "xxxls2l7yapHAG9ac297",
      "type": "User"
    }
  ],
  "transaction": {
    "detail": {},
    "id": "f33ec192b617d9422a3cc7f0e1e74d0a",
    "type": "WEB"
  },
  "uuid": "42c9152e-dc30-11ef-b493-af286be2f498",
  "version": "0"
}

[threat-punter]

Hey @barnabys-drew,

Thanks for this. Am I correct in understanding that your rule detects when an MFA factor is deactivated for an Okta user followed by their password being reset?

Do you want to include Okta's user.mfa.factor.reset_all event in your rule to detect when all of a user's MFA factors are reset? I'm wondering if you'd consider that event suspicious when combined with the password reset as well.

Can you please open a pull request to stage your proposed rule and we can work on it together in there?

Nice rule by the way.

[barnabys-drew]

Hey @threat-punter!

Good call out. That would be a better field to catch all of the MFA reset events, and would make this just as suspicious as the event field I submitted.

The 30 minute time window / short time window is what I think makes this suspicious. Granted you could run into the issue where someone happens to get a new phone, and then a corporate pw reset policies takes in affect in that time window, but I think the likihood of both happening at the time would be very unlikely.

Let me change this, and get a PR in order.

Best,
Drew

[threat-punter]

What suspicious scenario are you thinking of here? An attacker gains access to a user's Okta account, deactivates one of their MFA factors, and then performs a password reset for the account? Or are you thinking of a compromised Okta admin account carrying out these actions?

[threat-punter]

Here is an example pull request if it helps at all: #97

[barnabys-drew]

When we made the rule, the scenario was presented to us as the latter, but depending on the configuration of Okta in the environment it could be both from my understanding. Should I map the mitre technique to something else or am reading into this more than I should be hah?

The scenario I was thinking was a users account gets compromised, attacker then goes and changes user PW and MFA to prevent user access - leading into a total takeover

[threat-punter]

I think your MITRE ATT&CK technique selection is fine, as you're talking about the act of an adversary disabling MFA.