Azure audit - MFA fraud reported

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2025-04-07
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AzureAD Audit Log
Detection Modules	Identity Threat Module
Detector Tags
ATT&CK Tactic	Persistence (TA0003)
ATT&CK Technique	Valid Accounts (T1078)
Severity	Informational

Description

Azure audit - MFA fraud reported by user.

Attacker's Goals

An attacker can bypass an MFA method and get access to the account.

Investigative actions

Check if the authentication attempt was legit.
Follow the account for possible suspicious or unusual logins.

Variations

Azure audit - MFA fraud reported by sensitive user

Synopsis

ATT&CK Tactic	Persistence (TA0003)
ATT&CK Technique	Valid Accounts (T1078)
Severity	Low

Description

Azure audit - MFA fraud reported by sensitive user.

Attacker's Goals

An attacker can bypass an MFA method and get access to the account.

Investigative actions

Check if the authentication attempt was legit.
Follow the account for possible suspicious or unusual logins.