LoFP
/
t1621
t1621
Title
Tags
a user may have accidentally entered the wrong credentials during the mfa challenge. if the user is new to mfa, they may have trouble authenticating. ensure that the user is aware of the mfa process and has the correct credentials.
t1078
t1078.004
t1586
t1586.003
t1621
okta tenant
splunk
although not recommended, certain users may be exempt from multi-factor authentication. adjust the filter as necessary.
t1078
t1078.004
t1586
t1586.003
t1621
okta tenant
splunk
aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company
t1556
t1556.006
t1586
t1586.003
t1621
aws account
splunk
false positives have been minimized by removing attempts that result in 'mfa successfully completed messages', which were found to be generated when a user opts to use a different mfa method than the default. further reductions in notable events can be achieved through filtering 'mfa denied; duplicate authentication attempt' messages within the auth_msg field, as they could arguably be considered as false positives.
t1078
t1078.004
t1586
t1586.003
t1621
azure active directory
splunk
false positives may be generated by normal provisioning workflows for user device registration.
t1078
t1098.005
t1110
t1556.006
t1621
identity
splunk
false positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration.
t1098.005
t1556.006
t1621
identity
splunk
false positives may be generated by users working out the geographic region where the organizations services or technology is hosted.
t1098.005
t1556.006
t1621
identity
splunk
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
t1078
t1078.004
t1586
t1586.003
t1621
google cloud platform tenant
aws account
splunk
multiple denifed mfa requests in a short period of span may also be a sign of authentication errors. investigate and filter as needed.
t1621
azure active directory
splunk
multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed and monitor for any unusual activity.
t1621
okta tenant
splunk
users actually login but miss-click into the deny button when mfa prompt.
t1078
t1078.004
t1110
t1621
azure
sigma