Monitor for excessive or anomalous MFA push notifications or token requests, especially when login attempts originate from unusual IPs or geolocations and do not correspond to legitimate user-initiated sessions.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | azure:signinlogs | Multiple MFA challenge requests without successful primary login |
| Application Log Content (DC0038) | NSM:Connections | PushNotificationSent |
| Field | Description |
|---|---|
| TimeWindow | Threshold of MFA prompts per user within a short time period |
| GeoIPAllowList | Expected login locations for workforce; deviations can be tuned |
Detect abnormal MFA activity within cloud service provider logs, such as repeated generation of MFA challenges for the same user session or mismatched MFA device and login origin.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | AWS:CloudTrail | AssumeRole or ConsoleLogin with repeated MFA failures followed by repeated MFA requests |
| Field | Description |
|---|---|
| FailedLoginThreshold | Number of failed logins before raising detection |
Detect repeated failed login events followed by MFA challenges triggered in rapid succession, especially if originating from service accounts or anomalous IP addresses.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | WinEventLog:Security | EventCode=4625 |
| Field | Description |
|---|---|
| ServiceAccountExclusion | Exclude specific accounts where automated MFA requests are legitimate |
Monitor PAM and syslog entries for unusual frequency of login attempts that trigger MFA prompts, particularly when MFA challenges do not match expected user behavior.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | auditd:AUTH | pam_unix or pam_google_authenticator invoked repeatedly within short interval |
| Field | Description |
|---|---|
| AuthRetryThreshold | Number of retries per user allowed before detection is triggered |
Detect anomalous OAuth or SSO logins that repeatedly generate MFA challenges, particularly where MFA approvals are denied or timed out by the user.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | saas:okta | MFAChallengeIssued |
| Field | Description |
|---|---|
| MFAProvider | Identify which MFA service provider logs are in use (Okta, Duo, Microsoft Authenticator) |
Detect user account logon attempts that trigger multiple MFA challenges through enterprise identity integrations, especially if MFA push requests are generated without successful interactive login.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | macos:unifiedlog | authd generating multiple MFA token requests |
| Field | Description |
|---|---|
| DeviceEnrollmentStatus | Exclude unmanaged macOS devices that use different MFA providers |