This detection rule monitors changes to the Multi-Factor Authentication (MFA) configuration for administrators accessing the admin panel in a Duo Security environment. The rule is designed to notify system administrators about updates made to the list of allowed MFA factors utilized during administrator logins. By capturing events where the factor restrictions are altered, the rule helps to prevent unauthorized access that might arise due to undesirable shifts in security configurations. The rule permits a variety of MFA factors including Duo mobile passcodes, hardware tokens, Duo push notifications, and YubiKey Aes. Any logging events that indicate an update of these allowed factors trigger the detection rule. In contrast, login events using disallowed factors will not trigger an alert, rather providing a benchmark for expected behaviors regarding authentication policies.