33 lines
1.1 KiB
JSON
33 lines
1.1 KiB
JSON
{
|
|
"id": "KB-O365-MFA-FATIGUE",
|
|
"memory_type": "knowledge",
|
|
"doc_type": "kb",
|
|
"scenario": "o365_suspicious_login",
|
|
"title": "MFA Fatigue Detection Notes",
|
|
"abstract": "Patterns for identifying MFA fatigue / push bombing during account compromise attempts.",
|
|
"key_points": [
|
|
"Repeated MFA prompts preceding one successful prompt is suspicious.",
|
|
"User-reported prompt fatigue is strong supporting evidence.",
|
|
"MFA fatigue is often coupled with credential theft rather than password spray alone."
|
|
],
|
|
"investigation_guidance": [
|
|
"Review MFA event counts and timing.",
|
|
"Check if the user acknowledged unexpected prompts.",
|
|
"Look for subsequent session hijacking or mailbox abuse."
|
|
],
|
|
"decision_points": [
|
|
"Prompt flood plus user denial usually warrants immediate containment."
|
|
],
|
|
"related_refs": {
|
|
"playbooks": [
|
|
"PB-O365-LOGIN-001"
|
|
],
|
|
"cases": []
|
|
},
|
|
"source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-O365-MFA-FATIGUE.json",
|
|
"tags": [
|
|
"kb",
|
|
"o365",
|
|
"mfa-fatigue"
|
|
]
|
|
} |