MFA Status Monitoring
Displays Multi-Factor Authentication (MFA) status events over time. Monitor for unexpected spikes in denials, errors, or timeouts that may indicate security threats, system issues, or user experience problems requiring investigation.
Identitymonitoring
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read
Query
#repo=base_sensor #event_simpleName=IdpPolicy*RuleMatch
| in(field=cid, values=[?SelectedCid])
| match(file="aid_master_main.csv", field=[cid, aid])
// Filters
| in(field=MachineDomain, values=[?SelectedDomain])
| case {
IdpPolicyMfaStatus=1 | IdpPolicyMfaStatus:="Approved";
IdpPolicyMfaStatus=2 | IdpPolicyMfaStatus:="Denied";
IdpPolicyMfaStatus=32 | IdpPolicyMfaStatus:="Invalid input";
IdpPolicyMfaStatus=64 | IdpPolicyMfaStatus:="Resp. timeout";
IdpPolicyMfaStatus=128 | IdpPolicyMfaStatus:="User not enrolled";
IdpPolicyMfaStatus=256 | IdpPolicyMfaStatus:="Service Error";
IdpPolicyMfaStatus=640 | IdpPolicyMfaStatus:="No authorizer";
}
| timeChart(series=IdpPolicyMfaStatus)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.