ByteRay-Labs · dweissbacher · May 21, 2026 · May 21, 2026
diff --git a/queries/disable_strong_authentication_microsoft_entra_id.yml b/queries/disable_strong_authentication_microsoft_entra_id.yml
@@ -0,0 +1,37 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: Disable Strong Authentication (Microsoft Entra ID)
+
+# MITRE ATT&CK technique IDs
+mitre_ids:
+  - T1556
+
+# Description of what the query does and its purpose.
+description: |
+  Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed.
+
+# The author or team that created the query.
+author: Kundan Kumar
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+log_sources:
+  - Other
+
+# Tags for filtering and categorization.
+tags:
+  - Detection
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  #Vendor="microsoft"
+  | #event.module = azure
+  | #event.dataset = azure.entraid.audit
+  | Vendor.activityDisplayName ="Disable Strong Authentication"
+
+# Explanation of the query.
+# Using the YAML block scalar `|` allows for multi-line strings.
+# Uses markdown for formatting on the webpage.
+explanation: |
+  Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed.