Forum Discussion
mchhetry14
Oct 24, 2020Copper Contributor
MFA enabled/disabled using kql
Hi All, I am trying to check if any user's MFA (for Azure or any other cloud portal) was disabled in a given time period using KQL in log analytics Sentinel. I tried to look for the relevant...
Thijs Lecomte
Oct 25, 2020Bronze Contributor
How are you enabling MFA? Through Conditional Access or 'Per user MFA'.
For per user MFA, there is a rule available, it's in the rules template 'MFA disabled for a user'.
For Conditional Access, you are best off monitoring Conditional Access policies.
For per user MFA, there is a rule available, it's in the rules template 'MFA disabled for a user'.
For Conditional Access, you are best off monitoring Conditional Access policies.
mchhetry14
Oct 26, 2020Copper Contributor
Thijs Lecomte - Thank you for your reply.
We are enabling MFA per user basis and when I check the rule 'MFA disabled for a user' it uses table Auditlogs and joins with AWSCloudTrail table.
Not sure why AWSCloudTrail is being used and to me it seems as the rule is to find MFA disabled for AWS users (we are not using AWS).
Is there any query you could share to find MFA disabled for Azure users?
- Thijs LecomteOct 29, 2020Bronze ContributorThis rule will check both AWS and AuditLogs.
I have this rule in use in environments with only Azure and I confirm this works