Elastic Security Detection Rules

Azure Entra MFA TOTP Brute Force Attempts

Last updated 11 days ago on 2024-12-11
Created 11 days ago on 2024-12-11

About

Identifies brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. This rule detects high frequency failed TOTP code attempts for a single user in a short time-span. Adversaries with valid credentials, when attempting to login to Azure portal or other Azure services, may be prompted to provide a TOTP code as part of the MFA process. If successful, adversaries can bypass MFA and gain unauthorized access to Azure resources.
Tags
Domain: CloudDomain: SaaSData Source: AzureData Source: Entra IDData Source: Entra ID Sign-inUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Credential Access
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

Brute Force (T1110)(opens in a new tab or window)

False Positive Examples
Based on the high-frequency threshold, it would be unlikely for a legitimate user to exceed the threshold for failed TOTP code attempts in a short time-span.
License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

azure(opens in a new tab or window)

Query
from logs-azure.signinlogs* metadata _id, _version, _index
| where
    // filter for Entra Sign-In Logs
    event.dataset == "azure.signinlogs"
    and azure.signinlogs.operation_name == "Sign-in activity"

    // filter for MFA attempts with OATH conditional access attempts or TOTP
    and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication"
    and azure.signinlogs.properties.mfa_detail.auth_method == "OATH verification code"

    // filter on failures only from brute-force attempts
    and azure.signinlogs.properties.conditional_access_status == "failure"
    and azure.signinlogs.result_description == "Authentication failed during strong authentication request."
| keep azure.signinlogs.properties.sign_in_identifier
| stats
    // aggregate by the sign-in account or principal
    failed_totp_code_attempts = count(*) by azure.signinlogs.properties.sign_in_identifier
| where
    // filter on high frequency for a single user
    failed_totp_code_attempts > 30

Install detection rules in Elastic Security

Detect Azure Entra MFA TOTP Brute Force Attempts in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).