Try in Splunk Security Cloud

Description

This search detects when multi factor authentication has been disabled, what entitiy performed the action and against what user

  • Type: TTP
  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-12-16
  • Author: Rod Soto, Splunk
  • ID: c783dd98-c703-4252-9e8a-f19d9f5c949e

ATT&CK

ID Technique Tactic
T1556 Modify Authentication Process Credential Access, Defense Evasion, Persistence
`o365_management_activity` Operation="Disable Strong Authentication." 
| stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation user status signature dest ResultStatus 
|`security_content_ctime(firstTime)` 
|`security_content_ctime(lastTime)` 
| `o365_disable_mfa_filter`

Associated Analytic Story

How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Operation
  • UserType
  • user
  • status
  • signature
  • dest
  • ResultStatus

Kill Chain Phase

  • Actions on Objective

Known False Positives

Unless it is a special case, it is uncommon to disable MFA or Strong Authentication

RBA

Risk Score Impact Confidence Message
64.0 80 80 User $user$ has executed an operation $Operation$ for this destination $dest$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1