MFA enabled/disabled using kql

Occasional Contributor

Hi All,

 

I am trying to check if any user's MFA (for Azure or any other cloud portal) was disabled in a given time period using KQL in log analytics Sentinel. 

 

I tried to look for the relevant data in Auditlogs, SecurityEvent and Signinlogs table but didn't got what I was looking for. Also, could not find any EventID associated for this activity. Though I could see users who logged in via MFA or single factor authentication but not if a user was part of MFA before but got removed in last 24 hours.

 

I want to use this information to further perform my threat hunting in Sentinel.

 

3 Replies
How are you enabling MFA? Through Conditional Access or 'Per user MFA'.

For per user MFA, there is a rule available, it's in the rules template 'MFA disabled for a user'.
For Conditional Access, you are best off monitoring Conditional Access policies.

@Thijs Lecomte - Thank you for your reply.

 

We are enabling MFA per user basis and when I check the rule 'MFA disabled for a user' it uses table Auditlogs and joins with AWSCloudTrail table.

 

Not sure why AWSCloudTrail is being used and to me it seems as the rule is to find MFA disabled for AWS users (we are not using AWS).

 

Is there any query you could share to find MFA disabled for Azure users?

This rule will check both AWS and AuditLogs.
I have this rule in use in environments with only Azure and I confirm this works