topic Re: O365 Disable MFA Analytics in Splunk Enterprise

O365 Disable MFA Analytics

saskn — Fri, 16 Feb 2024 06:56:14 GMT

https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/

when i give this command Operation!="Disable Strong Authentication." i am getting the MFA enabled users details.

But when the below query is executed i am not getting any output.

Can some one help me in sharing some docs

`o365_management_activity` Operation="Disable Strong Authentication." 
| stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object 
| rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_disable_mfa_filter`

as per the

Re: O365 Disable MFA Analytics

saskn — Fri, 16 Feb 2024 06:58:10 GMT

the above query not working but when i Operation!="Disable Strong Authentication." getting enabled mfa users list.

i have already ingested the Splunk logs and completed the macro creation

Re: O365 Disable MFA Analytics

scelikok — Fri, 16 Feb 2024 08:58:07 GMT

Hi @saskn,

If the query works when Operation!="Disable Strong Authentication.", it shows no user disabled MFA. Normally, you have no results if all users are using MFA.