This rule detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users, posing a significant security risk for organizations. The rule leverages Google Workspace audit logs to identify events where the MFA enforcement setting is altered. MFA enhances security by requiring users to present multiple forms of identification, thus reducing the likelihood of unauthorized access through compromised passwords. The disabling of this feature can be indicative of malicious activity, as attackers may attempt to weaken security controls to exploit user accounts. The implementation of this rule involves querying Google Workspace logs to check for events related to the 'ENFORCE_STRONG_AUTHENTICATION' action toggled to false for user accounts. The rule provides insight into potential account compromise, facilitating appropriate investigation steps, including reviewing user account activity, assessing compliance with organizational policies, and engaging incident response protocols if necessary. Notably, the rule also addresses the possibility of false positives due to changes made by system administrators, encouraging teams to verify such alterations thoroughly. The false positives highlighted can stem from legitimate administrative actions that modify MFA settings. To mitigate risks, proper exception handling should be established to differentiate between expected behavior and anomalous actions indicative of potential threats. The overall objective of this rule is to maintain stringent security protocols while ensuring minimal operational disruption due to administrative maintenance activities in Google Workspace.