Multifactor Authentication Interrupted
Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
Sigma rule (View on GitHub)
1title: Multifactor Authentication Interrupted
2id: 5496ff55-42ec-4369-81cb-00f417029e25
3status: test
4description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
7author: AlertIQ
8date: 2021-10-10
9modified: 2022-12-18
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.initial-access
15 - attack.credential-access
16 - attack.t1078.004
17 - attack.t1110
18 - attack.t1621
19logsource:
20 product: azure
21 service: signinlogs
22detection:
23 selection_50074:
24 ResultType: 50074
25 ResultDescription|contains: 'Strong Auth required'
26 selection_500121:
27 ResultType: 500121
28 ResultDescription|contains: 'Authentication failed during strong authentication request'
29 condition: 1 of selection_*
30falsepositives:
31 - Unknown
32level: medium
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- Multifactor Authentication Denied
- Bitbucket User Login Failure
- Failed Authentications From Countries You Do Not Operate Out Of
- Potential MFA Bypass Using Legacy Client Authentication
- Sign-in Failure Due to Conditional Access Requirements Not Met