Home/Sigma rules
Sigma

Sigma detection rules

3 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

3 shown of 3
high
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
status test author Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) id 60de9b57-dc4d-48b9-a6a0-b39e0469f876
view Sigma YAML 
title: Disabling Multi Factor Authentication
id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876
status: test
description: Detects disabling of Multi Factor Authentication.
references:
    - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
date: 2023-09-18
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556.006
logsource:
    service: audit
    product: m365
detection:
    selection:
        Operation|contains: 'Disable Strong Authentication.'
    condition: selection
falsepositives:
    - Unlikely
level: high
medium
Okta MFA Reset or Deactivated
Detects when an attempt at deactivating or resetting MFA.
status test author Austin Songer @austinsonger id 50e068d7-1e6b-4054-87e5-0a592c40c7e0
view Sigma YAML 
title: Okta MFA Reset or Deactivated
id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
status: test
description: Detects when an attempt at deactivating  or resetting MFA.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-21
modified: 2026-04-27
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556.006
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - user.mfa.factor.deactivate
            - user.mfa.factor.reset_all
    condition: selection
falsepositives:
    - If a MFA reset or deactivated was performed by a system administrator.
level: medium
low
Azure AD Only Single Factor Authentication Required
Detect when users are authenticating without MFA being required.
status test author MikeDuddington, '@dudders1' id 28eea407-28d7-4e42-b0be-575d5ba60b2c
view Sigma YAML 
title: Azure AD Only Single Factor Authentication Required
id: 28eea407-28d7-4e42-b0be-575d5ba60b2c
status: test
description: Detect when users are authenticating without MFA being required.
references:
    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.defense-impairment
    - attack.t1078.004
    - attack.t1556.006
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        Status: 'Success'
        AuthenticationRequirement: 'singleFactorAuthentication'
    condition: selection
falsepositives:
    - If this was approved by System Administrator.
level: low
Showing 1-3 of 3
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin