
Summary
The rule detects attempts to disable Multi-Factor Authentication (MFA) for Azure Active Directory (AD) users by analyzing Azure AD Audit Logs. This specific operation, identified as "Disable Strong Authentication", is crucial as disabling MFA can increase the risk of account compromise, allowing adversaries to access accounts without additional security checks. When an attempt to disable MFA is logged, it is highlighted as a significant security incident due to its potential for facilitating unauthorized access and maintaining an undetected presence within an organization's environment. The provided search query utilizes fields from the Azure AD logs to extract and count occurrences of the operation, presenting insights such as when the disabling occurred and who initiated the action.
Categories
- Cloud
- Identity Management
Data Sources
- Cloud Service
- User Account
ATT&CK Techniques
- T1556
- T1586
- T1586.003
- T1556.006
Created: 2024-11-14