Oct 24 2020 01:05 PM
Hi All,
I am trying to check if any user's MFA (for Azure or any other cloud portal) was disabled in a given time period using KQL in log analytics Sentinel.
I tried to look for the relevant data in Auditlogs, SecurityEvent and Signinlogs table but didn't got what I was looking for. Also, could not find any EventID associated for this activity. Though I could see users who logged in via MFA or single factor authentication but not if a user was part of MFA before but got removed in last 24 hours.
I want to use this information to further perform my threat hunting in Sentinel.
Oct 25 2020 11:05 AM
Oct 26 2020 11:42 AM - edited Oct 26 2020 11:47 AM
@Thijs Lecomte - Thank you for your reply.
We are enabling MFA per user basis and when I check the rule 'MFA disabled for a user' it uses table Auditlogs and joins with AWSCloudTrail table.
Not sure why AWSCloudTrail is being used and to me it seems as the rule is to find MFA disabled for AWS users (we are not using AWS).
Is there any query you could share to find MFA disabled for Azure users?
Oct 29 2020 11:21 AM