- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Classification:
attack
Tactic:
Technique:
Set up the azure integration.
Detects when multiple Azure AD multi-factor authentication (MFA) push notifications have been rejected or not responded to by a user, followed by a successful login.
This rule allows you to monitor Azure AD sign-in logs and detect when multiple MFA push notifications have been rejected or not responded to by a user, followed by a successful login. Attackers may attempt to bypass MFA mechanisms and gain access to accounts by generating MFA requests sent to users. Bombarding users with MFA push notifications may result in the user finally accepting the authentication request.
{{@usr.id}}
to understand the context of push rejections, and whether or not the push notifications were initiated by the user.@usr.id
and @properties.status.additionalDetails:("MFA denied; user declined the authentication\" OR "MFA denied; user did not respond to mobile app notification")
to highlight failed push notifications. Compare previous geo-locations, user-agents, and IP addresses for the user to determine if this is abnormal activity.