MFA enabled/disabled using kql

mchhetry14 · ‎Oct 24 2020

Hi All,

I am trying to check if any user's MFA (for Azure or any other cloud portal) was disabled in a given time period using KQL in log analytics Sentinel.

I tried to look for the relevant data in Auditlogs, SecurityEvent and Signinlogs table but didn't got what I was looking for. Also, could not find any EventID associated for this activity. Though I could see users who logged in via MFA or single factor authentication but not if a user was part of MFA before but got removed in last 24 hours.

I want to use this information to further perform my threat hunting in Sentinel.

Thijs Lecomte · ‎Oct 25 2020

How are you enabling MFA? Through Conditional Access or 'Per user MFA'.

For per user MFA, there is a rule available, it's in the rules template 'MFA disabled for a user'.
For Conditional Access, you are best off monitoring Conditional Access policies.

mchhetry14 · ‎Oct 26 2020

@Thijs Lecomte - Thank you for your reply.

We are enabling MFA per user basis and when I check the rule 'MFA disabled for a user' it uses table Auditlogs and joins with AWSCloudTrail table.

Not sure why AWSCloudTrail is being used and to me it seems as the rule is to find MFA disabled for AWS users (we are not using AWS).

Is there any query you could share to find MFA disabled for Azure users?

Thijs Lecomte · ‎Oct 29 2020

This rule will check both AWS and AuditLogs.
I have this rule in use in environments with only Azure and I confirm this works

MFA enabled/disabled using kql

MFA enabled/disabled using kql

Re: MFA enabled/disabled using kql

Re: MFA enabled/disabled using kql

Re: MFA enabled/disabled using kql

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

MFA enabled/disabled using kql

MFA enabled/disabled using kql

Re: MFA enabled/disabled using kql

Re: MFA enabled/disabled using kql

Re: MFA enabled/disabled using kql