Multifactor Authentication Interrupted
Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
Sigma rule (View on GitHub)
1title: Multifactor Authentication Interrupted
2id: 5496ff55-42ec-4369-81cb-00f417029e25
3status: test
4description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
7author: AlertIQ
8date: 2021-10-10
9modified: 2022-12-18
10tags:
11 - attack.initial-access
12 - attack.credential-access
13 - attack.t1078.004
14 - attack.t1110
15 - attack.t1621
16logsource:
17 product: azure
18 service: signinlogs
19detection:
20 selection_50074:
21 ResultType: 50074
22 ResultDescription|contains: 'Strong Auth required'
23 selection_500121:
24 ResultType: 500121
25 ResultDescription|contains: 'Authentication failed during strong authentication request'
26 condition: 1 of selection_*
27falsepositives:
28 - Unknown
29level: medium
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- Multifactor Authentication Denied
- Failed Authentications From Countries You Do Not Operate Out Of
- Potential MFA Bypass Using Legacy Client Authentication
- Sign-in Failure Due to Conditional Access Requirements Not Met
- Successful Authentications From Countries You Do Not Operate Out Of