LoFP
/
t1556.006
t1556.006
Title
Tags
aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company
t1556
t1556.006
t1586
t1586.003
t1621
aws account
splunk
false positives may be generated by normal provisioning workflows for user device registration.
t1078
T1098.005
t1110
t1556.006
t1621
identity
splunk
false positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration.
T1098.005
t1556.006
t1621
identity
splunk
false positives may be generated by users working out the geographic region where the organizations services or technology is hosted.
T1098.005
t1556.006
t1621
identity
splunk
if a mfa reset or deactivated was performed by a system administrator.
t1556
t1556.006
okta
sigma
if this was approved by system administrator.
t1078
t1078.004
t1110
t1556
t1556.006
azure
sigma
legitimate use case may require for users to disable mfa. filter as needed.
t1556
t1556.006
t1586
t1586.003
gcp
azure active directory
splunk
legitimate use case may require for users to disable mfa. filter lightly and monitor for any unusual activity.
t1556
t1556.006
okta tenant
splunk
newly onboarded users who are registering an mfa method for the first time will also trigger this detection.
t1556
t1556.006
azure active directory
aws account
splunk
LoFP
/
t1556.006