Rules Contributing to Microsoft Entra ID MFA Disabled Alert
The following rules are used to identify events when a Microsoft Entra ID multi-factor authentication is disabled. Any one or more of these will trigger the Microsoft Entra ID MFA Disabled Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Disabled MFA to Bypass Authentication Mechanisms |
Detection for when multi-factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms. More details
Rule IDQuery{'selection': {'properties_message': 'Disable Strong Authentication.', 'result': 'success'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,7ea78478-a4f9-42a6-9dcd-f861816122bf Author: @ionsor Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|