Azure AD possible MFA fatigue attack

Set up the azure integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detects when multiple Azure AD multi-factor authentication (MFA) push notifications have been rejected or not responded to by a user.

Strategy

This rule allows you to monitor Azure AD sign-in logs and detect when multiple MFA push notifications have been rejected or not responded to by a user. Attackers may attempt to bypass MFA mechanisms and gain access to accounts by generating MFA requests sent to users. Bombarding users with MFA push notifications may result in the user finally accepting the authentication request.

Triage and response

  1. Speak with the user {{@usr.id}} to understand the context of push rejections, and whether or not the push notifications were initiated by the user.
  2. If the user did not initate the push notifications:
    • Filter for the specific @usr.id and @properties.status.additionalDetails:("MFA denied; user declined the authentication\" OR "MFA denied; user did not respond to mobile app notification") to highlight failed push notifications. Compare previous geo-locations, user-agents, and IP addresses for the user to determine if this is abnormal activity.
    • If it is believed to be malicious activity, then disable the user, invalidate any active sessions, and rotate their credentials.
    • Begin your organization’s incident response process and investigate.
PREVIEWING: esther/docs-9478-fix-split-after-example