MFA was disabled for a Google Workspace user

Cortex XDR Analytics Alert Reference by data source

Product

Cortex XDR

Last date published

2026-05-18

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Google Workspace Audit Logs
Detection Modules	Identity Threat Module
Detector Tags	Google Workspace
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Modify Authentication Process: Multi-Factor Authentication (T1556.006)
Severity	Informational

Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user.

Adversaries may impair defenses by disabling Multi-Factor Authentication (MFA) to maintain persistence and evade detection.

Verify if the MFA disablement was authorized.
Investigate the source IP and User Agent for previous malicious activity or anomalies.
Follow further actions done by the user and IP address.

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Modify Authentication Process: Multi-Factor Authentication (T1556.006)
Severity	Medium

Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user.

Adversaries may impair defenses by disabling Multi-Factor Authentication (MFA) to maintain persistence and evade detection.

Verify if the MFA disablement was authorized.
Investigate the source IP and User Agent for previous malicious activity or anomalies.
Follow further actions done by the user and IP address.

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Modify Authentication Process: Multi-Factor Authentication (T1556.006)
Severity	Low

Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user.

Adversaries may impair defenses by disabling Multi-Factor Authentication (MFA) to maintain persistence and evade detection.

Verify if the MFA disablement was authorized.
Investigate the source IP and User Agent for previous malicious activity or anomalies.
Follow further actions done by the user and IP address.