Re: O365 Disable MFA Analytics

saskn · ‎02-15-2024

https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/

when i give this command Oper...

`o365_management_activity` Operation="Disable Strong Authentication." 
| stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object 
| rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_disable_mfa_filter`

as per the

scelikok · ‎02-16-2024

Hi @saskn,

If the query works when Operation!="Disable Strong Authentication.", it shows no user disabled MFA. Normally, you have no results if all users are using MFA.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

saskn · ‎02-15-2024

the above query not working but when i Operation!="Disable Strong Authentication." getting enabled mfa users list.

i have already ingested the Splunk logs and completed the macro creation

O365 Disable MFA Analytics

Analytics Workspace

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation