Forum Discussion
MFA enabled/disabled using kql
Hi All, I am trying to check if any user's MFA (for Azure or any other cloud portal) was disabled in a given time period using KQL in log analytics Sentinel. I tried to look for the relevant...
Thijs Lecomte - Thank you for your reply.
We are enabling MFA per user basis and when I check the rule 'MFA disabled for a user' it uses table Auditlogs and joins with AWSCloudTrail table.
Not sure why AWSCloudTrail is being used and to me it seems as the rule is to find MFA disabled for AWS users (we are not using AWS).
Is there any query you could share to find MFA disabled for Azure users?
This rule will check both AWS and AuditLogs.
I have this rule in use in environments with only Azure and I confirm this works
I have this rule in use in environments with only Azure and I confirm this works
