Okta
Okta Events of Interest:
user.mfa.factor.activate - Active MFA factor (basically add device).
user.mfa.factor.deactivate - Remove MFA factor
user.account.reset_password - Reset password
user.session.start - Authentication attempt
device.user.add - Add MFA device (depends on factor).
user.authentication.sso - User clicks a tile in their assigned applications for SSO.
Hunting MFA Devices:

Using device inventory to look for deactivated or active devices.

Entra ID:
MFA devices registered in Okta do NOT show up in Entra ID.
Successful Okta MFA logins do NOT show up as multifactor in sign-in logs.
Successful Okta MFA logins do NOT show up in AUDIT logs.
Countermeasures:
Secure Policies (Hardening):
How Okta Works:
Last updated