Red Sift - MFA disabled on account

RedSiftAuth_CL
| extend
    ActivityName = tostring(column_ifexists("ActivityName", "")),
    UserEmail = tostring(column_ifexists("UserEmail", "")),
    ActorUserEmail = tostring(column_ifexists("ActorUserEmail", "")),
    SrcIp = tostring(column_ifexists("SrcIp", "")),
    HttpUserAgent = tostring(column_ifexists("HttpUserAgent", "")),
    ServiceName = tostring(column_ifexists("ServiceName", "")),
    Severity = tostring(column_ifexists("Severity", "")),
    UserUid = tostring(column_ifexists("UserUid", "")),
    ActorUserUid = tostring(column_ifexists("ActorUserUid", ""))
| where ActivityName =~ "MFA Disabled"
| where isnotempty(UserEmail) or isnotempty(ActorUserEmail)
| extend TargetAccount = iff(isnotempty(UserEmail), UserEmail, ActorUserEmail)
| project
    TimeGenerated,
    TargetAccount,
    UserEmail,
    ActorUserEmail,
    SrcIp,
    HttpUserAgent,
    ServiceName,
    ActivityName,
    Severity,
    UserUid,
    ActorUserUid

relevantTechniques:
- T1556
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: TargetAccount
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIp
    identifier: Address
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.0
suppressionDuration: PT1H
id: 16f26d2c-6296-490b-af4f-b30bcf1c4461
suppressionEnabled: false
severity: High
kind: Scheduled
queryFrequency: 1h
description: |
    This query searches for authentication events where MFA has been disabled on an account, which may indicate account takeover activity, weakened account protections, or unauthorized administrative changes.
requiredDataConnectors:
- connectorId: RedSiftPush
  dataTypes:
  - RedSiftAuth_CL
triggerOperator: gt
name: Red Sift - MFA disabled on account
tactics:
- DefenseEvasion
alertDetailsOverride:
  alertDescriptionFormat: 'MFA was disabled for {{TargetAccount}}. Actor: {{ActorUserEmail}}. Source IP: {{SrcIp}}.'
  alertDisplayNameFormat: RedSift - MFA Disabled for {{TargetAccount}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Sift/Analytic Rules/RedSiftMFADisabled.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  RedSiftAuth_CL
  | extend
      ActivityName = tostring(column_ifexists("ActivityName", "")),
      UserEmail = tostring(column_ifexists("UserEmail", "")),
      ActorUserEmail = tostring(column_ifexists("ActorUserEmail", "")),
      SrcIp = tostring(column_ifexists("SrcIp", "")),
      HttpUserAgent = tostring(column_ifexists("HttpUserAgent", "")),
      ServiceName = tostring(column_ifexists("ServiceName", "")),
      Severity = tostring(column_ifexists("Severity", "")),
      UserUid = tostring(column_ifexists("UserUid", "")),
      ActorUserUid = tostring(column_ifexists("ActorUserUid", ""))
  | where ActivityName =~ "MFA Disabled"
  | where isnotempty(UserEmail) or isnotempty(ActorUserEmail)
  | extend TargetAccount = iff(isnotempty(UserEmail), UserEmail, ActorUserEmail)
  | project
      TimeGenerated,
      TargetAccount,
      UserEmail,
      ActorUserEmail,
      SrcIp,
      HttpUserAgent,
      ServiceName,
      ActivityName,
      Severity,
      UserUid,
      ActorUserUid  
status: Available
customDetails:
  UserAgent: HttpUserAgent
  ActivityName: ActivityName
  ServiceName: ServiceName
  ActorUserEmail: ActorUserEmail
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    groupByEntities:
    - Account
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: P1D