authorized modification by administrators

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml>sigma
technicques: t1556

Techniques

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

condition: selection
selection:
  eventName: Disable Strong Authentication.
  eventSource: AzureActiveDirectory
  status: success