This rule detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization, indicating a potential compromise of security controls. MFA is key in enhancing security by requiring users to provide multiple forms of identification, thus reducing the likelihood of unauthorized access from compromised passwords. When MFA enforcement is turned off, accounts become more vulnerable to attacks, as a single weak password could lead to unauthorized access. Adversaries may attempt to modify password policies to disable MFA, thereby weakening overall security. The rule utilizes logs from Google Workspace, setting a query to identify when the MFA enforcement state changes to disabled. The key investigation steps include identifying the user responsible for the change, checking for related alerts, confirming awareness among account and resource owners, and ensuring compliance with change management policies. Automated responses to this rule should include disabling affected accounts, assessing risk impact, and re-enabling MFA enforcement to restore security. This rule is essential for maintaining security posture in environments relying on Google Workspace, and it emphasizes the importance of regular audits of authentication settings.