Rules: Authentication Without MFA
A login was successful where the account did NOT use multi-factor authentication (MFA) to gain access. It is strongly recommended that all accounts used for access require MFA to protect the account in the event credentials are stolen. If MFA is required, it is recommended this rule be enabled for that vendor/product.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Credential Access |
| Apply Risk to Entities | srcDevice_hostname, srcDevice_ip, device_ip, device_hostname, user_username |
| Signal Name | {{metadata_vendor}} {{metadata_product}} - Authentication Without MFA |
| Summary Expression | {{user_username}} logged on without MFA |
| Score/Severity | Static: 0 |
| Enabled by Default | False |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0006, _mitreAttackTactic:TA0001, _mitreAttackTechnique:T1078, _mitreAttackTechnique:T1586, _mitreAttackTechnique:T1078.004, _mitreAttackTechnique:T1586.002 |
| Origin | Field |
|---|---|
| Normalized Schema | device_hostname |
| Normalized Schema | device_ip |
| Normalized Schema | isNull |
| Normalized Schema | metadata_product |
| Normalized Schema | metadata_vendor |
| Normalized Schema | mfa |
| Normalized Schema | normalizedAction |
| Normalized Schema | objectType |
| Normalized Schema | srcDevice_hostname |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | success |
| Normalized Schema | user_username |