AN0450: Analytic 0450
Detect abnormal MFA activity within cloud service provider logs, such as repeated generation of MFA challenges for the same user session or mismatched MFA device and login origin.
Analyst context for executives and security teams
Analytic 0450 is a cloud-focused detection concept for abnormal multi-factor authentication activity in IaaS provider logs. Its business value is in spotting identity friction that may indicate account misuse, MFA fatigue-style pressure, session anomalies, or configuration gaps before cloud access becomes a broader operational issue. For leaders, this matters because cloud control-plane access often governs critical infrastructure, data, and recovery capability.
Executive priority
Prioritize this analytic as part of cloud identity assurance and SOC readiness. Executives should ask whether cloud provider authentication logs are retained, searchable, and tied to incident response playbooks; whether MFA events can be correlated to user sessions and login origin; and whether teams can distinguish suspicious repeated challenges from normal user error or device changes. This is especially relevant for audit evidence around MFA enforcement and for validating that cloud identity controls are observable, not just configured.
Technical view
SOC and detection teams should validate whether IaaS logs expose MFA challenge generation, user/session identifiers, MFA device details, login origin, and authentication outcome. The supplied ATT&CK analytic highlights two detection ideas: repeated MFA challenge generation for the same user session and mismatches between MFA device and login origin. Because no tactic, technique relationship, or official detection logic is supplied, teams should treat this as a detection requirement to engineer and tune locally rather than a complete rule.
Likely telemetry
- Cloud service provider authentication logs
- MFA challenge and response events
- User account and session identifiers
- MFA device metadata where available
- Login origin data such as source IP, geography, or provider-reported origin
Detection direction
- Confirm that IaaS identity logs include enough detail to link MFA challenges to the same user session.
- Baseline normal MFA challenge frequency by user, role, application, and access pattern before setting thresholds.
- Investigate repeated MFA prompts within a single session, especially when paired with unusual login origin or failed authentication outcomes.
- Correlate MFA device information with login origin where the provider exposes both fields.
- Tune for expected benign causes such as new device enrollment, travel, network egress changes, help desk activity, or user retry behavior.
Mitigation priorities
- Ensure MFA is consistently enforced for cloud access, especially privileged IaaS accounts.
- Verify logging is enabled and retained for cloud authentication and MFA events.
- Integrate cloud identity logs into SOC monitoring and incident response workflows.
- Define response procedures for abnormal MFA activity, including user verification, session review, and credential or token containment decisions.
- Use findings from this analytic to improve identity governance, access reviews, and compliance evidence for MFA monitoring.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. It applies to IaaS platforms and focuses on abnormal MFA activity in cloud service provider logs. No relationships, tactics, aliases, labels, or official detection query were supplied, so implementation depends on the specific cloud provider log schema and the organization’s identity architecture.
The source does not provide a concrete detection rule, thresholds, data component mapping, related techniques, or adversary procedure examples. Local validation is required to determine log availability, field names, normal MFA behavior, false-positive rates, and response actions.
Analytic 0450
Detect abnormal MFA activity within cloud service provider logs, such as repeated generation of MFA challenges for the same user session or mismatched MFA device and login origin.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4833dff7f759… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0450Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.