Red Sift - MFA disabled on account

RedSiftAuth_CL
| extend
    ActivityName = tostring(column_ifexists("ActivityName", "")),
    UserEmail = tostring(column_ifexists("UserEmail", "")),
    ActorUserEmail = tostring(column_ifexists("ActorUserEmail", "")),
    SrcIp = tostring(column_ifexists("SrcIp", "")),
    HttpUserAgent = tostring(column_ifexists("HttpUserAgent", "")),
    ServiceName = tostring(column_ifexists("ServiceName", "")),
    Severity = tostring(column_ifexists("Severity", "")),
    UserUid = tostring(column_ifexists("UserUid", "")),
    ActorUserUid = tostring(column_ifexists("ActorUserUid", ""))
| where ActivityName =~ "MFA Disabled"
| where isnotempty(UserEmail) or isnotempty(ActorUserEmail)
| extend TargetAccount = iff(isnotempty(UserEmail), UserEmail, ActorUserEmail)
| project
    TimeGenerated,
    TargetAccount,
    UserEmail,
    ActorUserEmail,
    SrcIp,
    HttpUserAgent,
    ServiceName,
    ActivityName,
    Severity,
    UserUid,
    ActorUserUid

status: Available
queryFrequency: 1h
suppressionEnabled: false
queryPeriod: 1h
triggerOperator: gt
query: |
  RedSiftAuth_CL
  | extend
      ActivityName = tostring(column_ifexists("ActivityName", "")),
      UserEmail = tostring(column_ifexists("UserEmail", "")),
      ActorUserEmail = tostring(column_ifexists("ActorUserEmail", "")),
      SrcIp = tostring(column_ifexists("SrcIp", "")),
      HttpUserAgent = tostring(column_ifexists("HttpUserAgent", "")),
      ServiceName = tostring(column_ifexists("ServiceName", "")),
      Severity = tostring(column_ifexists("Severity", "")),
      UserUid = tostring(column_ifexists("UserUid", "")),
      ActorUserUid = tostring(column_ifexists("ActorUserUid", ""))
  | where ActivityName =~ "MFA Disabled"
  | where isnotempty(UserEmail) or isnotempty(ActorUserEmail)
  | extend TargetAccount = iff(isnotempty(UserEmail), UserEmail, ActorUserEmail)
  | project
      TimeGenerated,
      TargetAccount,
      UserEmail,
      ActorUserEmail,
      SrcIp,
      HttpUserAgent,
      ServiceName,
      ActivityName,
      Severity,
      UserUid,
      ActorUserUid  
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: PT1H
tactics:
- DefenseEvasion
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: TargetAccount
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIp
requiredDataConnectors:
- connectorId: RedSiftPush
  dataTypes:
  - RedSiftAuth_CL
alertDetailsOverride:
  alertDescriptionFormat: 'MFA was disabled for {{TargetAccount}}. Actor: {{ActorUserEmail}}. Source IP: {{SrcIp}}.'
  alertDisplayNameFormat: RedSift - MFA Disabled for {{TargetAccount}}
relevantTechniques:
- T1556
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Sift/Analytic Rules/RedSiftMFADisabled.yaml
customDetails:
  ActivityName: ActivityName
  UserAgent: HttpUserAgent
  ActorUserEmail: ActorUserEmail
  ServiceName: ServiceName
description: |
    This query searches for authentication events where MFA has been disabled on an account, which may indicate account takeover activity, weakened account protections, or unauthorized administrative changes.
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: true
    matchingMethod: Selected
    lookbackDuration: P1D
    groupByEntities:
    - Account
  createIncident: true
name: Red Sift - MFA disabled on account
version: 1.0.0
kind: Scheduled
id: 16f26d2c-6296-490b-af4f-b30bcf1c4461
severity: High