MFA Status Monitoring

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: MFA Status Monitoring

# Description of what the query does and its purpose.
description: Displays Multi-Factor Authentication (MFA) status events over time. Monitor for unexpected spikes in denials, errors, or timeouts that may indicate security threats, system issues, or user experience problems requiring investigation.

# The author or team that created the query.
author: CrowdStrike

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Identity

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Identity

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Monitoring

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #repo=base_sensor #event_simpleName=IdpPolicy*RuleMatch
  | in(field=cid, values=[?SelectedCid])
  | match(file="aid_master_main.csv", field=[cid, aid])
  // Filters
  | in(field=MachineDomain, values=[?SelectedDomain])
  | case {
    IdpPolicyMfaStatus=1 | IdpPolicyMfaStatus:="Approved";
    IdpPolicyMfaStatus=2 | IdpPolicyMfaStatus:="Denied";
    IdpPolicyMfaStatus=32 | IdpPolicyMfaStatus:="Invalid input";
    IdpPolicyMfaStatus=64 | IdpPolicyMfaStatus:="Resp. timeout";
    IdpPolicyMfaStatus=128 | IdpPolicyMfaStatus:="User not enrolled";
    IdpPolicyMfaStatus=256 | IdpPolicyMfaStatus:="Service Error";
    IdpPolicyMfaStatus=640 | IdpPolicyMfaStatus:="No authorizer";
  }
  | timeChart(series=IdpPolicyMfaStatus)