[Rule Tuning] Remove Salesforce Client User-Agent Whitelisting in MFA Deactivation with no Re-Activation for Okta User Account (#4145)

* tuning

* added note about whitelisting user agent

* removed extra new line

(cherry picked from commit 61b731c)

Author: terrancedejesus

rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/10/09"
 
 [rule]
 author = ["Elastic"]
@@ -52,6 +52,7 @@ This rule fires when an Okta user account has MFA deactivated and no subsequent
 - Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.
 - Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.
 - Check if the compromised account was used to access or alter any sensitive data, applications or systems.
+- Review the client user-agent to determine if it's a known custom application that can be whitelisted.
 """
 references = [
     "https://developer.okta.com/docs/reference/api/system-log/",
@@ -69,8 +70,8 @@ type = "eql"
 
 query = '''
 sequence by okta.actor.id with maxspan=12h
-    [any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.deactivate"
-        and okta.outcome.result == "SUCCESS" and not okta.client.user_agent.raw_user_agent like "SFDC-Callout*"]
+    [any where event.dataset == "okta.system" and okta.event_type in ("user.mfa.factor.deactivate", "user.mfa.factor.reset_all")
+        and okta.outcome.reason != "User reset SECURITY_QUESTION factor" and okta.outcome.result == "SUCCESS"]
     ![any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.activate"]
 '''