O365 Disable MFA
Description
This search detects when multi factor authentication has been disabled, what entitiy performed the action and against what user
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2022-02-03
- Author: Rod Soto, Splunk
- ID: c783dd98-c703-4252-9e8a-f19d9f5c949e
Annotations
ATT&CK
ID | Technique | Tactic |
---|---|---|
T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
Kill Chain Phase
- Exploitation
NIST
CIS20
CVE
Search
1
2
3
4
5
`o365_management_activity` Operation="Disable Strong Authentication."
| stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `o365_disable_mfa_filter`
Macros
The SPL above uses the following Macros:
Note that o365_disable_mfa_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- _time
- Operation
- UserType
- user
- status
- signature
- dest
- ResultStatus
How To Implement
You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
Known False Positives
Unless it is a special case, it is uncommon to disable MFA or Strong Authentication
Associated Analytic story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
64.0 | 80 | 80 | User $user$ has executed an operation $Operation$ for this destination $dest$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1