← Back to Explore
crowdstrike_cqlTTP
Cisco Duo - Failed MFA Login within 5 mins
Cisco Duo Failed MFA Login within 5 minutes highlights repeated authentication failures that may indicate MFA fatigue attacks, credential abuse, or ongoing account takeover attempts. Cisco Duo Failed MFA Login within 5 minutes highlights repeated authentication failures that may indicate MFA fatigue attacks, credential abuse, or ongoing account takeover attempts.
MITRE ATT&CK
Detection Query
#Vendor = cisco
| #event.module = "duo"
| event.action = "authentication"
| Vendor.reason =~ in(values=["no_keys_pressed","invalid_passcode","verification_code_incorrect","user_cancelled","no_response"])
|groupBy([user.name],function=[count(field=Vendor.reason, distinct=true, as=reason),collect(fields=[source.geo.country_name, source.ip,Vendor.reason]),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
|reason >1
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 5
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone=UTC)
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone=UTC)
| drop([start_time, end_time])
Author
Kundan Kumar
Data Sources
Other
Tags
Detection
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Cisco Duo - Failed MFA Login within 5 mins
# MITRE ATT&CK technique IDs
mitre_ids:
- T1621
# Description of what the query does and its purpose.
description: |
Cisco Duo Failed MFA Login within 5 minutes highlights repeated authentication failures that may indicate MFA fatigue attacks, credential abuse, or ongoing account takeover attempts.
# The author or team that created the query.
author: Kundan Kumar
# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Other
# Tags for filtering and categorization.
tags:
- Detection
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#Vendor = cisco
| #event.module = "duo"
| event.action = "authentication"
| Vendor.reason =~ in(values=["no_keys_pressed","invalid_passcode","verification_code_incorrect","user_cancelled","no_response"])
|groupBy([user.name],function=[count(field=Vendor.reason, distinct=true, as=reason),collect(fields=[source.geo.country_name, source.ip,Vendor.reason]),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
|reason >1
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 5
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone=UTC)
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone=UTC)
| drop([start_time, end_time])
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
Cisco Duo Failed MFA Login within 5 minutes highlights repeated authentication failures that may indicate MFA fatigue attacks, credential abuse, or ongoing account takeover attempts.