Okta

Okta Events of Interest:

  • user.mfa.factor.activate - Active MFA factor (basically add device).

  • user.mfa.factor.deactivate - Remove MFA factor

  • user.account.reset_password - Reset password

  • user.session.start - Authentication attempt

  • device.user.add - Add MFA device (depends on factor).

  • user.authentication.sso - User clicks a tile in their assigned applications for SSO.

Hunting MFA Devices:

Using device inventory to look for deactivated or active devices.

Entra ID:

  • MFA devices registered in Okta do NOT show up in Entra ID.

  • Successful Okta MFA logins do NOT show up as multifactor in sign-in logs.

  • Successful Okta MFA logins do NOT show up in AUDIT logs.

Countermeasures:

Secure Policies (Hardening):

How Okta Works:

Last updated