×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
BJanota29
New Member
Member since: ‎08-27-2024
‎09-04-2024
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-27-2024
Activity Feed
Topics I've Started
View All

MFA Fatigue Attack

by in Splunk Search
‎09-04-2024 05:34 AM
‎09-04-2024 05:34 AM
I am currently working on creating an alert for a possible MFA fatigue attack from our Entra ID sign in logs. The logic would be to find sign in events where a user received x number of MFA requests within a given timeframe, denied them all and then on the 5th one for example they approved the MFA request for our SOC to investigate. I have some of the logic for this written out below, but I am struggling to figure out how to add the last piece in of an approved MFA request after the x number of denied MFA attempts by the same user. Has anyone had any luck creating this and if so, how did you go about it? Any help is greatly appreciated. Thank you! index=cloud_entraid category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails="MFA denied; user declined the authentication" | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-04-2024 10:28 AM