Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.
You can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.
This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used
and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.
1. Review the AWS policy change and understand the reason why target user is not configured to use MFA.
2. Enable MFA for in scope users
3. Perform an investigation in Azure Sentinel for the same user account, hostname and/or IP address entity to see if any lateral movements were completed.