Merge pull request #1178 from secops-and-hops/master
MFA push deny detection
This commit is contained in:
Коммит
ef04f5410f
|
@ -0,0 +1,24 @@
|
|||
id: a22740ec-fc1e-4c91-8de6-c29c6450ad00
|
||||
name: Explicit MFA Deny
|
||||
description: |
|
||||
'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActiveDirectory
|
||||
dataTypes:
|
||||
- SigninLogs
|
||||
queryFrequency: 1d
|
||||
queryPeriod: 1d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- CredentialAccess
|
||||
relevantTechniques:
|
||||
- T1110
|
||||
query: |
|
||||
SigninLogs
|
||||
| where ResultType == 500121
|
||||
| where Status has "MFA Denied; user declined the authentication"
|
||||
| extend AccountCustomEntity = AlternateSignInName
|
||||
| extend IPCustomEntity = IPAddress
|
||||
| extend URLCustomEntity = ClientAppUsedlet
|
Загрузка…
Ссылка в новой задаче