Skip to content

Commit

Permalink
Update azure_ad_multiple_denied_mfa_requests_for_user.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
@mvelazc0
mvelazc0 committed Oct 31, 2023
1 parent 77b591f commit 1ff4ed0
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ search: '`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.
known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
known_false_positives: Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed.
references:
- https://www.mandiant.com/resources/blog/russian-targeting-gov-business
- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/
Expand Down

0 comments on commit 1ff4ed0

Please sign in to comment.