Detection rules › Sigma
MFA downgrade - disable strong factors
An adversary can try to downgrade authentication requirements by disabling strong authenticators (Webauthn) for users.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562.007 Impair Defenses: Disable or Modify Cloud Firewall |
Rule body yaml
title: MFA downgrade - disable strong factors
id: d0b564f6-716a-11f0-96ba-723487b9527c
status: experimental
description: |
An adversary can try to downgrade authentication requirements by disabling strong authenticators (Webauthn) for users.
author: Okta
date: 2025-07-11
modified: 2025-09-21
logsource:
product: auth0
detection:
selection:
data.type: sapi
data.description: "Update multi-factor authentication type"
data.details.request.body.enabled: false
condition: selection
explanation: >
The query filters for log entries recording changes in availability of MFA factors for the whole tenant.
The Splunk query below also parses the path where the last part shows the type of the disabled factor.
It takes the last modifications of the availability for each factor by default.
This query can be used for reporting purposes (when and what factors was disabled and enabled) by commenting the "sort" and "dedup" clauses.
Finally, the query summarises the user created modification, IP and lists disabled factors.
To monitor only a specific factor, e.g. phishing-resistant, uncomment the "search" clause.
splunk: |
index=auth0 data.tenant_name="{your-tenant-name}"
data.type=sapi data.description="Update multi-factor authentication type"
```data.details.request.body.enabled=false```
| fields data.details.request.path, data.user_id, data.details.request.ip,
data.details.request.body.enabled
``` Excluding trusted IPs```
``` NOT data.details.request.ip IN ("{white-listed-IPs}")```
| rex field=data.details.request.path "/(?<factor>[^/]+)$"
```Take only the last change of configurations that reflects the current settings```
| sort -_time, factor
| dedup factor
```Limit monitored factors, e.g. phishing-resistant ```
```| search factor IN (webauthn-roaming, webauthn-roaming)```
``` Alert when monitored factors have been disabled ```
| where 'data.details.request.body.enabled' = "false"
```Display the information in a table```
| table _time, data.user_id, data.details.request.ip, factor, data.details.request.body.enabled
comments:
- The Splunk query above, shall be tuned to reflect a valid tenant name.
- Additionally, you can expand the detection to other factors, e.g. SMS.
- Limit the detection to actions conducted from untrusted IPs and/or particular users.
tenant_logs: |
type: "sapi" AND description: "Update multi-factor authentication type"
prevention:
- Control tenant admins, i.e. "Admin", as this role has permissions to modify any application.
- Enforce MFA for tenant admins to reduce the risk of an adversary gaining access.
- Control Management API scopes that allow modification of MFA settings - update:guardian_factors.
- Control usage of Management API from only trusted IPs by applying Network ACL scoped to "management".
falsepositives:
- Intentional legitimate disabling of strong factors by administrators.
level: medium
tags:
- attack.defense-evasion
- attack.t1562
- attack.t1562.007
Stages and Predicates
Stage 0: condition
selectionStage 1: selection
selection:
data.type: sapi
data.description: "Update multi-factor authentication type"
data.details.request.body.enabled: false
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
data.description | eq |
|
data.details.request.body.enabled | eq |
|
data.type | eq |
|