<  Back to rules search

Azure Login Explicitly Denied MFA

azure

Classification:

attack

Tactic:

Technique:

Set up the azure integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect and identify the network IP address when multiple user accounts failed to complete the MFA process.

Strategy

Monitor Azure Active Directory Sign-in logs and detect when any @evt.category is equal to SignInLogs, @properties.authenticationRequirement is equal to multiFactorAuthentication and @evt.outcome is equal to failure.

Triage and response

  1. Inspect the log and determine if this was a valid login attempt.
  2. If the user was compromised, rotate user credentials.