diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml similarity index 69% rename from rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml rename to rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml index df2043ba4..19495680a 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml @@ -2,36 +2,39 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/08/29" [rule] author = ["Elastic"] description = """ -Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA +Identifies when multi-factor authentication (MFA) is disabled for an Entra ID user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Multi-Factor Authentication Disabled for an Azure User" +name = "Entra ID MFA Disabled for User" note = """## Triage and analysis -### Investigating Multi-Factor Authentication Disabled for an Azure User +### Investigating Entra ID MFA Disabled for User Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan. If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate. -For more information about using MFA in Azure AD, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication). +For more information about using MFA in Microsoft Entra ID, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication). -This rule identifies the deactivation of MFA for an Azure user account. This modification weakens account security and can lead to the compromise of accounts and other assets. +This rule identifies the deactivation of MFA for an Entra ID user account. This modification weakens account security and can lead to the compromise of accounts and other assets. #### Possible investigation steps - Identify the user account that performed the action and whether it should perform this kind of action. - Investigate other alerts associated with the user account during the past 48 hours. - Contact the account and resource owners and confirm whether they are aware of this activity. +- Correlate with Entra ID Sign-In Logs to identify anomalous sign-in attempts following MFA disablement. +- This rule does not identify if the user was removed from a conditional access policy (CAP) with MFA requirements. + - Instead the rule identifies both legacy and modern MFA disablement through user settings. - Check if this operation was approved and performed according to the organization's change management policy. - If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. @@ -55,16 +58,16 @@ This rule identifies the deactivation of MFA for an Azure user account. This mod - Implement security defaults [provided by Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" risk_score = 47 rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence", @@ -73,16 +76,25 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) +event.dataset: "azure.auditlogs" and + (azure.auditlogs.operation_name: "Disable Strong Authentication" or + ( + azure.auditlogs.operation_name: "User deleted security info" and + azure.auditlogs.properties.additional_details.key: "AuthenticationMethod" + )) and event.outcome: (Success or success) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + [rule.threat.tactic]