This detection rule is designed to identify potentially malicious activities related to the addition of a Multi-Factor Authentication (MFA) device to a user account within Microsoft Office 365. The rule utilizes Splunk's data querying capabilities to extract relevant logs from O365 which detail user updates that involve strong authentication methods. If a threat actor has gained access to an account, they may add an MFA device as a means to maintain persistent access to that account. The logic of the rule focuses on capturing events related to 'Update user' actions where a 'StrongAuthenticationMethod' change has occurred, and it provides a comprehensive output of various user attributes such as account details, access information, and actions taken during that event. The statistics collected can aid in identifying anomalous behavior associated with account management that may indicate the presence of compromised accounts or unauthorized access attempts. Proper investigation of these detections could prevent further malicious actions such as privilege escalation, persistent account access, or evasion of defenses. This aligns with various attack techniques enumerated in the MITRE ATT&CK framework, particularly around persistence and initial access through valid accounts.