Box MFA disabled followed by unrecognized device logins

This rule is part of a beta feature. To learn more, contact Support.
box

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1078-valid-accounts

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects scenarios where a user disables Multi-Factor Authentication (MFA) and then attempts to log in from an unrecognized device, potentially indicating account compromise.

Strategy

Monitor enterprise events for MFA disable actions followed closely by login attempts from unrecognized devices, using {{@source.login}} to track the affected user.

Triage and Response

  1. Review the user {{@source.login}} who disabled MFA and attempted access from an unrecognized device.
  2. Investigate whether the login was expected by checking recent user behavior.
  3. If suspicious, force a password reset, and restrict account access.