Skip to main content


Splunk Lantern

Verifying multifactor authentication usage in O365


The CIS Benchmark recommends the use of Multi-Factor Authentication (MFA) on accounts with a console password (Section 1.2) and root accounts (1.14). Enabling MFA helps secure accounts, so conversely, the lack of MFA may result in accounts that are more easily compromised. You want to see if users are logging in without MFA.

Required data

Microsoft O365

How to use Splunk software for this use case

To deploy this use case, you need to import the Splunk ES Content Updates into your Splunk Security Essentials or Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. Some of the detections that can help you with this use case include:

Next steps

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.