Box MFA disabled followed by unrecognized device logins
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects scenarios where a user disables Multi-Factor Authentication (MFA) and then attempts to log in from an unrecognized device, potentially indicating account compromise.
Strategy
Monitor enterprise events for MFA disable actions followed closely by login attempts from unrecognized devices, using {{@source.login}} to track the affected user.
Triage and Response
- Review the user
{{@source.login}} who disabled MFA and attempted access from an unrecognized device. - Investigate whether the login was expected by checking recent user behavior.
- If suspicious, force a password reset, and restrict account access.
