https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ when i give this command Operation!="Disable Strong Authentication." i am getting the MFA enabled users details. But when the below query is executed i am not getting any output. Can some one help me in sharing some docs `o365_management_activity` Operation="Disable Strong Authentication."
| stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object
| rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_disable_mfa_filter` as per the
... View more