Detectionmediumtest

Multifactor Authentication Denied

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

AlertIQCreated Thu Mar 24e40f4962-b02b-4192-9bfe-245f7ece1f99cloud

Log Source

Azuresigninlogs

ProductAzure← raw: azure

Servicesigninlogs← raw: signinlogs

Detection Logic

detection:
    selection:
        AuthenticationRequirement: 'multiFactorAuthentication'
        Status|contains: 'MFA Denied'
    condition: selection

False Positives

Users actually login but miss-click into the Deny button when MFA prompt.

References

Resolving title…

microsoft.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion TA0001 · Initial Access TA0006 · Credential Access

Techniques

T1110 · Brute Force T1621 · Multi-Factor Authentication Request Generation

Sub-techniques

T1078.004 · Cloud Accounts

Rule Metadata

Rule ID

e40f4962-b02b-4192-9bfe-245f7ece1f99

Status

test

Level

medium

Type

Detection

Created

Thu Mar 24

Author

AlertIQ

Path

rules/cloud/azure/signin_logs/azure_mfa_denies.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.credential-accessattack.t1078.004attack.t1110attack.t1621

View on GitHub