diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml
deleted file mode 100644
index d128c950c..000000000
--- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml
+++ /dev/null
@@ -1,57 +0,0 @@
-[metadata]
-creation_date = "2020/05/20"
-integration = ["okta"]
-maturity = "production"
-min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
-min_stack_version = "8.10.0"
-updated_date = "2023/10/24"
-
-[rule]
-author = ["Elastic"]
-description = """
-Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for
-an Okta user account in order to weaken the authentication requirements for the account.
-"""
-false_positives = [
-    """
-    If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to
-    filter false positives.
-    """,
-]
-index = ["filebeat-*", "logs-okta*"]
-language = "kuery"
-license = "Elastic License v2"
-name = "Attempt to Deactivate MFA for an Okta User Account"
-note = """## Setup
-
-The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = [
-    "https://developer.okta.com/docs/reference/api/system-log/",
-    "https://developer.okta.com/docs/reference/api/event-types/",
-    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
-]
-risk_score = 21
-rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8"
-severity = "low"
-tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"]
-timestamp_override = "event.ingested"
-type = "query"
-
-query = '''
-event.dataset:okta.system and event.action:user.mfa.factor.deactivate
-'''
-
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1098"
-name = "Account Manipulation"
-reference = "https://attack.mitre.org/techniques/T1098/"
-
-
-[rule.threat.tactic]
-id = "TA0003"
-name = "Persistence"
-reference = "https://attack.mitre.org/tactics/TA0003/"
-
diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml
new file mode 100644
index 000000000..ef170cd0c
--- /dev/null
+++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml
@@ -0,0 +1,95 @@
+[metadata]
+creation_date = "2020/05/20"
+integration = ["okta"]
+maturity = "production"
+min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
+min_stack_version = "8.10.0"
+updated_date = "2023/12/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An
+adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the
+account.
+"""
+false_positives = [
+    """
+    If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to
+    filter false positives.
+    """,
+]
+from = "now-12h"
+index = ["filebeat-*", "logs-okta.system*"]
+interval = "6h"
+language = "eql"
+license = "Elastic License v2"
+name = "MFA Deactivation with no Re-Activation for Okta User Account"
+note = """## Triage and analysis
+
+### Investigating MFA Deactivation with no Re-Activation for Okta User Account
+
+MFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.
+
+This rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.
+
+#### Possible investigation steps:
+
+- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.
+- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.
+- Using the `okta.actor.alternate_id` field, search  for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.
+- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.
+    - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.
+
+#### False positive steps:
+
+- Determine with the target user if MFA deactivation was expected.
+- Determine if MFA is required for the target user account.
+
+#### Response and remediation:
+
+- If the MFA deactivation was not expected, consider deactivating the user
+    - This should be followed by resetting the user's password and re-enabling MFA.
+- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.
+- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.
+- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.
+- Check if the compromised account was used to access or alter any sensitive data, applications or systems.
+"""
+references = [
+    "https://developer.okta.com/docs/reference/api/system-log/",
+    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
+]
+risk_score = 21
+rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8"
+setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n"
+severity = "low"
+tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Domain: Cloud"]
+type = "eql"
+
+query = '''
+sequence by okta.actor.id with maxspan=12h
+    [any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.deactivate"
+        and okta.outcome.result == "SUCCESS" and not okta.client.user_agent.raw_user_agent like "SFDC-Callout*"]
+    ![any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.activate"]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1556"
+name = "Modify Authentication Process"
+reference = "https://attack.mitre.org/techniques/T1556/"
+[[rule.threat.technique.subtechnique]]
+id = "T1556.006"
+name = "Multi-Factor Authentication"
+reference = "https://attack.mitre.org/techniques/T1556/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+