Techniques
Sample rules
Azure AD Successful Single-Factor Authentication
- source: splunk
- technicques:
- T1586
- T1586.003
- T1078
- T1078.004
Description
The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated
Detection logic
`azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true
| rename properties.* as *
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement
| `azure_ad_successful_single_factor_authentication_filter`
GCP Successful Single-Factor Authentication
- source: splunk
- technicques:
- T1586
- T1586.003
- T1078
- T1078.004
Description
The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated
Detection logic
`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods`
| stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method, app, event.name, vendor_account, action
|`security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gcp_successful_single_factor_authentication_filter`