This detection rule is designed to monitor the status of two-factor authentication (2FA) in a MongoDB organization. The rule triggers an alert when 2FA is disabled, which is critical for safeguarding user accounts against unauthorized access. The rule examines event logs for instances where 2FA settings are either toggled off or are set to optional, indicating a reduction in security posture. When a 2FA authentication requirement (ORG_TWO_FACTOR_AUTH_REQUIRED) is expected but not present, or when it is marked as optional (ORG_TWO_FACTOR_AUTH_OPTIONAL), the rule identifies this change as a potential security risk. The severity of this event is categorized as medium, reflecting its importance, albeit not as urgent as high-severity threats. The rule includes a deduplication period of 60 minutes to prevent repeated alerts for the same event, ensuring a manageable notification system for administrators. It relies on monitoring MongoDB organizational events.