The 'MFA Disabled' detection rule is designed to identify instances where Multi-Factor Authentication (MFA) is disabled for user accounts within various platforms, including GitHub, Zendesk, and Okta. This rule is classified as high severity due to the associated risk with unauthorized access when MFA is not enforced. The detection works by analyzing relevant audit logs that capture changes to MFA settings within these applications, specifically looking for actions that indicate a disabling of MFA. The analysis includes multiple test cases across different platforms, such as verifying when MFA is disabled or enabled and when specific user actions trigger these changes. The rule utilizes a 60-minute deduplication period to minimize alert fatigue, and is supported by structured log entries that detail the context and origin of the MFA changes. This detection rule not only seeks to enhance security by ensuring MFA is enforced but is also aligned with the MITRE ATT&CK framework under 'T1556' which relates to modifying authentication processes.