Detectionhightest
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Splunk Threat Research Team (original rule), Harjot Singh (sigma rule)Created Mon Sep 1860de9b57-dc4d-48b9-a6a0-b39e0469f876cloud
Log Source
Microsoft 365audit
ProductMicrosoft 365← raw: m365
Serviceaudit← raw: audit
Detection Logic
Detection Logic1 selector
detection:
selection:
Operation|contains: 'Disable Strong Authentication.'
condition: selectionFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
References
MITRE ATT&CK
Rule Metadata
Rule ID
60de9b57-dc4d-48b9-a6a0-b39e0469f876
Status
test
Level
high
Type
Detection
Created
Mon Sep 18
Path
rules/cloud/m365/audit/microsoft365_disabling_mfa.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.credential-accessattack.t1556.006