Skip to content

[Rule Tuning] Multi-Factor Authentication Disabled for User #5005

New issue
New issue
Closed
Task
#5006
Closed
[Rule Tuning] Multi-Factor Authentication Disabled for User#5005
Task
#5006
Assignees
terrancedejesus
Labels
Domain: CloudDomain: IdentityIntegration: Azureazure related rulesRule: Tuningtweaking or tuning an existing ruleTeam: TRADE
@terrancedejesus

Description

@terrancedejesus
terrancedejesus
opened on Aug 25, 2025

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml

Rule Tuning Type

False Negatives - Enhancing detection of true threats that were previously missed.

Description

Rule needs tuned for the following reasons:

  • Update name of the rule
  • Replace Azure AD references with Entra ID
  • Add investigation guide details specific to the behavior
  • Add missing query contents to catch MFA settings disabled by user (phishing)
  • Missing tags
  • Update MITRE mappings

Note - The volume of alerts are not relatively high compared to other rules, however, disabling MFA is only anomalous and there is little room to exclude FPs with this rule. Additionally, this rule only catches user settings being changed (by the user or an admin) for disabling MFA. Conditional access policy changes, such as removing a user when the CAP enforces MFA, is not straight forward for detection.

Example Data

No response

Metadata

Metadata

Assignees

Labels

Domain: CloudDomain: IdentityIntegration: Azureazure related rulesRule: Tuningtweaking or tuning an existing ruleTeam: TRADE

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions