This analytic rule detects attempts to disable multi-factor authentication (MFA) for users in Google Cloud Platform (GCP) environments. It is particularly focused on the `UNENROLL_USER_FROM_STRONG_AUTH` command found in Google Workspace Admin logs. The disabling of MFA poses a significant security risk as it can allow unauthorized users to maintain access to compromised accounts without raising red flags. The analytic utilizes Splunk to collect relevant events and identify when MFA has been disabled by monitoring administrative actions on GCP users. Given the implications of such actions, it is crucial to investigate further any occurrences of this event to prevent potential data breaches or unauthorized actions within the organization.