Managed Sentinel – Alert 158

Alert IDMS-A158
Alert NameMFA disabled for a user - AWS CloudTrail
DescriptionMulti-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user.
Severity LevelMedium
Threat IndicatorImproper Access
MITRE ATT&CK TacticsCredential Access
False PositivesService Accounts
Log sourcesAWS
Recommendations1. Review the AWS policy change and understand the reason why target user is not configured to use MFA.
2. Enable MFA for in scope users
3. Perform an investigation in Azure Sentinel for the same user account, hostname and/or IP address entity to see if any lateral movements were completed.