Azure AD Successful Single-Factor Authentication
Description
The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication
- Last Updated: 2023-12-20
- Author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
- ID: a560e7f6-1711-4353-885b-40be53101fcd
Annotations
ATT&CK
Kill Chain Phase
- Weaponization
- Exploitation
- Installation
- Delivery
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
`azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true
| rename properties.* as *
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement
| `azure_ad_successful_single_factor_authentication_filter`
Macros
The SPL above uses the following Macros:
azure_ad_successful_single-factor_authentication_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- category
- properties.authenticationRequirement
- properties.authenticationDetails
- user
- src_ip
- properties.appDisplayName
How To Implement
You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.
Known False Positives
Although not recommended, certain users may be required without multi-factor authentication. Filter as needed
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
45.0 | 50 | 90 | Successful authentication for user $user$ without MFA |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1078/004/
- [https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks)
- https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2