MFA was disabled for an Azure identity

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires:
    • AzureAD Audit Log

Detection Modules

Identity Threat Module

ATT&CK Tactic

ATT&CK Technique

Modify Authentication Process (T1556)

Severity

Low

Description

MFA was disabled for the user.

Attacker's Goals

This allows the attacker to connect using this account without the need for the additional layer of authentication.

Investigative actions

  • Follow further actions by the initiator.
  • Check the login activity from this account.
  • Follow further actions done by this account.

Variations

MFA was disabled for an Azure identity from a new country

Synopsis

ATT&CK Tactic

ATT&CK Technique

Modify Authentication Process (T1556)

Severity

Medium

Description

MFA was disabled for the user from a new country.

Attacker's Goals

This allows the attacker to connect using this account without the need for the additional layer of authentication.

Investigative actions

  • Follow further actions by the initiator.
  • Check the login activity from this account.
  • Follow further actions done by this account.


MFA was disabled for an Azure identity regularly by the user

Synopsis

ATT&CK Tactic

ATT&CK Technique

Modify Authentication Process (T1556)

Severity

Informational

Description

MFA was disabled for the user.

Attacker's Goals

This allows the attacker to connect using this account without the need for the additional layer of authentication.

Investigative actions

  • Follow further actions by the initiator.
  • Check the login activity from this account.
  • Follow further actions done by this account.