Box MFA disabled followed by unrecognized device logins

This rule is part of a beta feature. To learn more, contact Support.
box

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1078-valid-accounts

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detects scenarios where a user disables Multi-Factor Authentication (MFA) and then attempts to log in from an unrecognized device, potentially indicating account compromise.

Strategy

Monitor enterprise events for MFA disable actions followed closely by login attempts from unrecognized devices, using {{@source.login}} to track the affected user.

Triage and Response

  1. Review the user {{@source.login}} who disabled MFA and attempted access from an unrecognized device.
  2. Investigate whether the login was expected by checking recent user behavior.
  3. If suspicious, force a password reset, and restrict account access.