Multifactor Authentication Interrupted

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Sigma rule (View on GitHub)

 1title: Multifactor Authentication Interrupted
 2id: 5496ff55-42ec-4369-81cb-00f417029e25
 3status: test
 4description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
 7author: AlertIQ
 8date: 2021-10-10
 9modified: 2022-12-18
10tags:
11    - attack.initial-access
12    - attack.credential-access
13    - attack.t1078.004
14    - attack.t1110
15    - attack.t1621
16logsource:
17    product: azure
18    service: signinlogs
19detection:
20    selection_50074:
21        ResultType: 50074
22        ResultDescription|contains: 'Strong Auth required'
23    selection_500121:
24        ResultType: 500121
25        ResultDescription|contains: 'Authentication failed during strong authentication request'
26    condition: 1 of selection_*
27falsepositives:
28    - Unknown
29level: medium

References

Related rules

to-top