This rule is designed to detect instances where a user within an organization disables Two-Factor Authentication (2FA) for their Zoom account, which could pose a security risk. A change from 2FA being enabled to disabled can potentially expose the user's account to unauthorized access. The log details include the action taken, such as the account update, the operator who performed the action, and the exact timestamp of the event. The detection focuses specifically on the 'Update' action category for accounts, and validation checks are put in place to ensure that only disabling of 2FA is flagged, while any attempts to enable it are considered expected behavior. The rule operates with a medium severity level due to the implications of lowering authentication security. Furthermore, a runbook recommendation suggests confirming the user's business intent before any further action is taken.