From 39fbce5cb614c573de0b4694bfebc80ecb710d39 Mon Sep 17 00:00:00 2001
From: "byteray-cql-hub-bot[bot]"
 <261226166+byteray-cql-hub-bot[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 11:49:01 +0000
Subject: [PATCH] Add query: Disable Strong Authentication (Microsoft Entra ID)

---
 ...rong_authentication_microsoft_entra_id.yml | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 queries/disable_strong_authentication_microsoft_entra_id.yml

diff --git a/queries/disable_strong_authentication_microsoft_entra_id.yml b/queries/disable_strong_authentication_microsoft_entra_id.yml
new file mode 100644
index 0000000..88f42c5
--- /dev/null
+++ b/queries/disable_strong_authentication_microsoft_entra_id.yml
@@ -0,0 +1,37 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: Disable Strong Authentication (Microsoft Entra ID)
+
+# MITRE ATT&CK technique IDs
+mitre_ids:
+  - T1556
+
+# Description of what the query does and its purpose.
+description: |
+  Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed.
+
+# The author or team that created the query.
+author: Kundan Kumar
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+log_sources:
+  - Other
+
+# Tags for filtering and categorization.
+tags:
+  - Detection
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  #Vendor="microsoft"
+  | #event.module = azure
+  | #event.dataset = azure.entraid.audit
+  | Vendor.activityDisplayName ="Disable Strong Authentication"
+
+# Explanation of the query.
+# Using the YAML block scalar `|` allows for multi-line strings.
+# Uses markdown for formatting on the webpage.
+explanation: |
+  Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed.