[Rule Tuning] High Number of Okta User Password Reset or Unlock Attempts (#1200)

* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 58ea49b092)

rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml

@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/08/19"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/05/12"
 
 [rule]
-author = ["Elastic"]
+author = ["Elastic", "@BenB196", "Austin Songer"]
 description = """
-Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain
-unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their
+Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain 
+unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their 
 target's environment and evade detection.
 """
 false_positives = [
@@ -82,6 +82,7 @@ name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
 
 [rule.threshold]
-field = ["okta.actor.id"]
+field = ["okta.actor.alternate_id"]
 value = 5
 
+