Azure Login Explicitly Denied MFA
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

Azure Login Explicitly Denied MFA

azure

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the azure integration.

Overview

Goal

Detect and identify the network IP address when multiple user accounts failed to complete the MFA process.

Strategy

Monitor Azure Active Directory Sign-in logs and detect when any @evt.category is equal to SignInLogs, @properties.authenticationRequirement is equal to multiFactorAuthentication and @evt.outcome is equal to failure.

Triage & Response

  1. Inspect the log and determine if this was a valid login attempt.
  2. If the user was compromised, rotate user credentials.