security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Multi-Factor Authentication Disabled for User (#5006)

Browse Source 
* tuning rule 'Multi-Factor Authentication Disabled for User'

* adjusted query logic

* fixed query logic for optimization that passes unit tests; changed severity and risk back to medium
This commit is contained in:
Terrance DeJesus
2025-08-29 13:20:12 -04:00
committed by GitHub
parent 590cc9cbbd
commit 4b9e3887bb
1 changed files with 29 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml → rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml
+29 -17
View File
@@ -2,36 +2,39 @@
creation_date = "2020/08/20"
integration = ["azure"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2025/08/29"
[rule]
author = ["Elastic"]
description = """
Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA
Identifies when multi-factor authentication (MFA) is disabled for an Entra ID user account. An adversary may disable MFA
for a user account in order to weaken the authentication requirements for the account.
"""
from = "now-25m"
index = ["filebeat-*", "logs-azure*"]
from = "now-9m"
index = ["filebeat-*", "logs-azure.auditlogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Multi-Factor Authentication Disabled for an Azure User"
name = "Entra ID MFA Disabled for User"
note = """## Triage and analysis
### Investigating Multi-Factor Authentication Disabled for an Azure User
### Investigating Entra ID MFA Disabled for User
Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.
If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.
For more information about using MFA in Azure AD, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication).
For more information about using MFA in Microsoft Entra ID, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication).
This rule identifies the deactivation of MFA for an Azure user account. This modification weakens account security and can lead to the compromise of accounts and other assets.
This rule identifies the deactivation of MFA for an Entra ID user account. This modification weakens account security and can lead to the compromise of accounts and other assets.
#### Possible investigation steps
- Identify the user account that performed the action and whether it should perform this kind of action.
- Investigate other alerts associated with the user account during the past 48 hours.
- Contact the account and resource owners and confirm whether they are aware of this activity.
- Correlate with Entra ID Sign-In Logs to identify anomalous sign-in attempts following MFA disablement.
- This rule does not identify if the user was removed from a conditional access policy (CAP) with MFA requirements.
- Instead the rule identifies both legacy and modern MFA disablement through user settings.
- Check if this operation was approved and performed according to the organization's change management policy.
- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.
@@ -55,16 +58,16 @@ This rule identifies the deactivation of MFA for an Azure user account. This mod
- Implement security defaults [provided by Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults).
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
## Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
"""
risk_score = 47
rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf"
severity = "medium"
tags = [
"Domain: Cloud",
"Domain: Identity",
"Data Source: Azure",
"Data Source: Microsoft Entra ID",
"Data Source: Microsoft Entra ID Audit Logs",
"Use Case: Identity and Access Audit",
"Resources: Investigation Guide",
"Tactic: Persistence",
@@ -73,16 +76,25 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success)
event.dataset: "azure.auditlogs" and
(azure.auditlogs.operation_name: "Disable Strong Authentication" or
(
azure.auditlogs.operation_name: "User deleted security info" and
azure.auditlogs.properties.additional_details.key: "AuthenticationMethod"
)) and event.outcome: (Success or success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[[rule.threat.technique.subtechnique]]
id = "T1556.006"
name = "Multi-Factor Authentication"
reference = "https://attack.mitre.org/techniques/T1556/006/"
[rule.threat.tactic]