AN0452: Analytic 0452
Monitor PAM and syslog entries for unusual frequency of login attempts that trigger MFA prompts, particularly when MFA challenges do not match expected user behavior.
Analyst context for executives and security teams
This analytic matters because repeated Linux login attempts that generate MFA prompts can create both security risk and operational noise. For leaders, the practical question is whether the organization can distinguish expected user authentication behavior from unusual prompt volume before users approve something by mistake, accounts lock out, or the SOC misses a meaningful identity signal in routine logs.
Executive priority
Prioritize this as an identity and SOC readiness validation item for Linux environments using PAM, syslog, and MFA. Executives should ask whether authentication logs are centrally collected, whether MFA prompt volume is measurable by user and source, and whether the SOC has an escalation path when prompt patterns do not match normal user behavior. This also supports audit and compliance evidence around authentication monitoring, but local control design and log retention determine its value.
Technical view
For Linux platforms, validate monitoring of PAM and syslog entries for unusual frequency of login attempts associated with MFA prompts. Detection engineering should define expected behavior by user, host, time window, and source context, then alert when MFA challenge frequency deviates from that baseline. Because no ATT&CK tactics, relationships, or formal detection logic are supplied, teams should treat this as a logging and anomaly-detection requirement rather than a complete rule.
Likely telemetry
- Linux PAM authentication logs
- Syslog authentication events
- MFA challenge or prompt records where available
- User, host, timestamp, and source address context tied to login attempts
- Account lockout, failed login, and successful login outcomes correlated with MFA prompts
Detection direction
- Confirm PAM and syslog authentication events are collected from in-scope Linux systems and retained centrally.
- Correlate login attempt frequency with MFA prompt generation, especially by user and time window.
- Tune thresholds against normal administrative and service-access patterns to reduce false positives.
- Review users with repeated MFA prompts that do not align with expected work patterns, locations, or access schedules where that context is available.
- Identify blind spots where MFA prompt telemetry is not linked to Linux authentication logs or where syslog coverage is incomplete.
Mitigation priorities
- Ensure Linux authentication logging through PAM and syslog is enabled and centrally monitored.
- Establish baseline authentication behavior for users and privileged accounts before relying on anomaly thresholds.
- Define an incident response workflow for unusual MFA prompt frequency, including user verification and account review.
- Review MFA configuration and user education so unexpected prompts are reported rather than approved.
- Use findings to improve identity monitoring evidence for audit, compliance, and SOC quality reviews.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux that specifically references PAM and syslog monitoring for unusual login-attempt frequency causing MFA prompts. No relationship context, tactics, procedure examples, or official detection logic were supplied, so the take focuses on defensive validation and operational decision value rather than adversary-specific behavior.
This assessment is limited to the official STIX fields and external reference provided. It does not establish active exploitation, attribution, specific threat groups, guaranteed detection, or coverage beyond Linux. Local MFA architecture, log quality, user baselines, and SIEM correlation determine practical effectiveness.
Analytic 0452
Monitor PAM and syslog entries for unusual frequency of login attempts that trigger MFA prompts, particularly when MFA challenges do not match expected user behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 930bf732c9b4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0452Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.