diff --git a/packages/entityanalytics_okta/changelog.yml b/packages/entityanalytics_okta/changelog.yml
index 52ea7b91fd2..f40e7c26f7d 100644
--- a/packages/entityanalytics_okta/changelog.yml
+++ b/packages/entityanalytics_okta/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.3.0"
+  changes:
+    - description: Record whether a user's credentials include a recovery question.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10702
 - version: "1.2.0"
   changes:
     - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.
diff --git a/packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json b/packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json
index 3230ec403f4..b7147df4945 100644
--- a/packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json
+++ b/packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json
@@ -40,7 +40,8 @@
                     "provider": {
                         "type": "OKTA",
                         "name": "OKTA"
-                    }
+                    },
+                    "recovery_question": {}
                 }
             },
             "user": {
diff --git a/packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json-expected.json b/packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json-expected.json
index 562cef9e89d..ad1c3454e6a 100644
--- a/packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json-expected.json
+++ b/packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json-expected.json
@@ -26,6 +26,9 @@
                         "provider": {
                             "name": "OKTA",
                             "type": "OKTA"
+                        },
+                        "recovery_question": {
+                            "is_set": true
                         }
                     },
                     "id": "00ub0oNGTSWTBKOLGLNR",
diff --git a/packages/entityanalytics_okta/data_stream/user/elasticsearch/ingest_pipeline/default.yml b/packages/entityanalytics_okta/data_stream/user/elasticsearch/ingest_pipeline/default.yml
index e8ca0c75097..2defa3e3a4d 100644
--- a/packages/entityanalytics_okta/data_stream/user/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/entityanalytics_okta/data_stream/user/elasticsearch/ingest_pipeline/default.yml
@@ -548,6 +548,19 @@ processors:
       tag: append_user_profile_manager_name_into_related_user
       allow_duplicates: false
       if: ctx.entityanalytics_okta?.user?.profile?.manager?.name != null
+  - set:
+      field: okta.credentials.recovery_question.is_set
+      value: true
+      if: ctx.okta?.credentials?.recovery_question != null
+  - set:
+      field: okta.credentials.recovery_question.is_set
+      value: false
+      if: ctx.okta?.credentials?.recovery_question == null
+  - rename:
+      field: okta.credentials.recovery_question
+      target_field: entityanalytics_okta.user.credentials.recovery_question
+      tag: rename_user_credentials_recovery_question
+      ignore_missing: true
   - rename:
       field: okta.credentials.provider.type
       target_field: entityanalytics_okta.user.credentials.provider.type
diff --git a/packages/entityanalytics_okta/data_stream/user/fields/fields.yml b/packages/entityanalytics_okta/data_stream/user/fields/fields.yml
index 904f0775f6f..3e77ec8721c 100644
--- a/packages/entityanalytics_okta/data_stream/user/fields/fields.yml
+++ b/packages/entityanalytics_okta/data_stream/user/fields/fields.yml
@@ -26,6 +26,8 @@
                   type: keyword
                 - name: type
                   type: keyword
+            - name: recovery_question.is_set
+              type: boolean
         - name: id
           type: keyword
           description: unique key for user.
diff --git a/packages/entityanalytics_okta/docs/README.md b/packages/entityanalytics_okta/docs/README.md
index 9a35f2095dc..c188f0c616b 100644
--- a/packages/entityanalytics_okta/docs/README.md
+++ b/packages/entityanalytics_okta/docs/README.md
@@ -280,6 +280,7 @@ An example event for `user` looks as following:
 | entityanalytics_okta.user.created | timestamp when user was created. | date |
 | entityanalytics_okta.user.credentials.provider.name |  | keyword |
 | entityanalytics_okta.user.credentials.provider.type |  | keyword |
+| entityanalytics_okta.user.credentials.recovery_question.is_set |  | boolean |
 | entityanalytics_okta.user.id | unique key for user. | keyword |
 | entityanalytics_okta.user.last_login | timestamp of last login. | date |
 | entityanalytics_okta.user.last_updated | timestamp when user was last updated. | date |
diff --git a/packages/entityanalytics_okta/manifest.yml b/packages/entityanalytics_okta/manifest.yml
index e7650a2016d..3e36b795595 100644
--- a/packages/entityanalytics_okta/manifest.yml
+++ b/packages/entityanalytics_okta/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: entityanalytics_okta
 title: Okta Entity Analytics
-version: "1.2.0"
+version: "1.3.0"
 description: "Collect User Identities from Okta with Elastic Agent."
 type: integration
 categories: