A user modified an Okta MFA factor

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-10

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Okta Audit Log
Detection Modules	Identity Threat Module
Detector Tags	Okta Audit Analytics
ATT&CK Tactic	Credential Access (TA0006) Persistence (TA0003)
ATT&CK Technique	Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)
Severity	Informational

An Okta MFA factor was modified by a user, suggesting a potential compromise of the account.

An attacker is attempting to gain access to an account secured with MFA.

Contact the user and ensure the operation was legitimate.
Check if the user modifies more factors.
If the user activates a weak factor, check for abnormal successful sign-ins from different countries and times.
If the user deactivates a strong factor, check if he authenticates with unusual factors and checks for abnormal successful sign-ins from different countries and times.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

An OKTA MFA factor was modified by a user with suspicious conditions.

An attacker is attempting to gain access to an account secured with MFA.

Contact the user and ensure the operation was legitimate.
Check if the user modifies more factors.
If the user activates a weak factor, check for abnormal successful sign-ins from different countries and times.
If the user deactivates a strong factor, check if he authenticates with unusual factors and checks for abnormal successful sign-ins from different countries and times.