LoFP
/
t1586.003
t1586.003
Title
Tags
a source ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.
t1110
T1110.003
T1110.004
t1586
t1586.003
o365 tenant
okta tenant
splunk
a source ip failing to authenticate with multiple users is not a common for legitimate behavior.
t1110
T1110.003
T1110.004
t1586
t1586.003
azure active directory
splunk
a user may have accidentally entered the wrong credentials during the mfa challenge. if the user is new to mfa, they may have trouble authenticating. ensure that the user is aware of the mfa process and has the correct credentials.
t1078
t1078.004
t1586
t1586.003
t1621
okta tenant
splunk
administrative users will likely use powershell commandlets to troubleshoot and maintain the environment. filter as needed.
t1078
t1078.004
t1586
t1586.003
azure active directory
splunk
administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
t1110
t1110.001
t1586
t1586.003
aws account
splunk
although not recommended, certain users may be exempt from multi-factor authentication. adjust the filter as necessary.
t1078
t1078.004
t1586
t1586.003
t1621
okta tenant
splunk
although not recommended, certain users may be required without multi-factor authentication. filter as needed
t1078
t1078.004
t1586
t1586.003
azure active directory
google cloud platform tenant
splunk
aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company
t1556
t1556.006
t1586
t1586.003
t1621
aws account
splunk
details for the risk calculation algorithm used by identity protection are unknown and may be prone to false positives.
t1110
T1110.003
t1586
t1586.003
azure active directory
splunk
if an end-user incorrectly identifies normal activity as suspicious.
t1586
t1586.003
okta
sigma
it is possible that some accounts do not have mfa enabled for the aws account however its agaisnt the best practices of securing aws.
t1078
t1078.004
t1586
t1586.003
aws account
splunk
it is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.
t1586.003
okta tenant
splunk
legitimate use case may require for users to disable mfa. filter as needed.
t1556
t1556.006
t1586
t1586.003
gcp
azure active directory
splunk
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
t1078
t1078.004
t1586
t1586.003
t1621
aws account
azure active directory
google cloud platform tenant
splunk
multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed.
t1078
t1078.004
t1586
t1586.003
t1621
google cloud platform tenant
o365 tenant
azure active directory
aws account
splunk
no known false positives for this detection. please review this alert
t1110
T1110.003
T1110.004
t1586
t1586.003
google cloud platform tenant
splunk
no known false postives for this detection. please review this alert.
t1110
T1110.003
T1110.004
t1586
t1586.003
google cloud platform tenant
splunk
this detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of vpns or cloud services that rotate ip addresses. filter as needed.
t1110
T1110.003
T1110.004
t1586
t1586.003
azure tenant
o365 tenant
splunk
users may genuinely mistype or forget the password.
t1110
t1110.001
t1586
t1586.003
aws account
splunk
users may genuinely reset the rds password.
t1110
t1586
t1586.003
aws account
splunk
when a legitimate new user logins for the first time, this activity will be detected. check how old the account is and verify that the user activity is legitimate.
t1078.004
T1535
t1552
t1586
t1586.003
aws instance
splunk