Techniques
Sample rules
Google Workspace MFA Disabled
- source: sigma
- technicques:
Description
Detects when multi-factor authentication (MFA) is disabled.
Detection logic
condition: all of selection*
selection_base:
eventName:
- ENFORCE_STRONG_AUTHENTICATION
- ALLOW_STRONG_AUTHENTICATION
eventService: admin.googleapis.com
selection_eventValue:
new_value: 'false'