Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
Sigma rule (View on GitHub)
1title: Disabling Multi Factor Authentication
2id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876
3status: test
4description: Detects disabling of Multi Factor Authentication.
5references:
6 - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
7author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
8date: 2023-09-18
9tags:
10 - attack.persistence
11 - attack.t1556
12logsource:
13 service: audit
14 product: m365
15detection:
16 selection:
17 Operation|contains: 'Disable Strong Authentication.'
18 condition: selection
19falsepositives:
20 - Unlikely
21level: high
References
-
Updated Date: 2024-05-11 ID: c783dd98-c703-4252-9e8a-f19d9f5c949e Author: Rod Soto, Splunk Type: TTP Product: Splunk Enterprise Security Description The following analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. It leverages O365 audit logs, specifically focusing on events related to MFA settings. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. If confirmed malicious, this activity could indicate an attacker attempting to maintain persistence or an insider threat, significantly increasing the risk of unauthorized access.
Read More
Related rules
- AWS Identity Center Identity Provider Change
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- Certificate-Based Authentication Enabled
- Change to Authentication Method