MFA Push Fatigue - detects when a user is repeatedly prompted for MFA push.

Status: experimental
Severity: medium
Log source: product auth0
Author: Okta
Source: github.com/auth0/auth0-customer-detections

An adversary with access to compromised passwords may try to push bomb the victim. There is a chance that the victim will accept an MFA prompt to stop irritation.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1621` Multi-Factor Authentication Request Generation

Rule body yaml

title: MFA Push Fatigue - detects when a user is repeatedly prompted for MFA push.
id: e675f02e-716c-11f0-8602-723487b9527c
status: experimental
description: |
    An adversary with access to compromised passwords may try to push bomb the victim.
    There is a chance that the victim will accept an MFA prompt to stop irritation.
author: Okta
date: 2025-07-11
modified: 2025-09-02
logsource:
    product: auth0
detection:
    selection:
        data.type: gd_send_pn
        data.description: "Guardian - Second factor notification sent"
    condition: selection
explanation: >
    The query below filters events capturing sending push notifications.
    The Splunk query looks up additinal statistics, i.e. time window, number of pushes per notification.
    The alert is created when selected thresholds have been exceeded.
    It displays the IPs, number of affected users, and time window.
splunk: >
    index=auth0 data.tenant_name="{your_tenant_name}"
    data.type=gd_send_pn
    | fields data.user_id, data.ip
    | stats min(_time) as window_start_time, max(_time) as window_end_time, count as count_pushes_per_user by data.user_id
    ```| stats max(count_pushes_per_user) as max_count```
    | eval window_duration_seconds = window_end_time - window_start_time
    | eval window_duration_mins = window_duration_seconds/60
    | where window_duration_mins<={time_window_threshold} AND count_pushes_per_user > {count_pushes_per_user_threshold}
    ```Display the information in a table```
    | table count_pushes_per_user, window_duration_mins, data.user_id, data.ip
comments:
    - The Splunk query above shall be tuned to reflect a valid tenant name, how quick were seen push notifications were sent,
      i.e {time_window_threshold}, and how many push notifications have been sent per user ({count_pushes_per_user_threshold}).
    - A similar detection (with less details) can be implemented through Security Center and its alerts.
tenant_logs: |
    type:"gd_send_pn" AND description: "Guardian - Second factor notification sent"
prevention:
    - Enforcing strong MFA authenticators such as phishing-resistance with FIDO2 WebAuthn.
    - Implement passwordless authentication to reduce the risk for initial password compromise.
falsepositives:
    - Legitimate users who are trying to log in and are repeatedly prompted for MFA due to network issues or other problems.
level: medium
tags:
    - attack.credential-access
    - attack.t1621

Stages and Predicates

Stage 0: `condition`

selection

Stage 1: `selection`

selection:
    data.type: gd_send_pn
    data.description: "Guardian - Second factor notification sent"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`data.description`	eq	`Guardian - Second factor notification sent`
`data.type`	eq	`gd_send_pn`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

MFA Push Fatigue - detects when a user is repeatedly prompted for MFA push.

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection`

Indicators

Keyboard shortcuts

Search operators

MFA Push Fatigue - detects when a user is repeatedly prompted for MFA push.

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection

Indicators

Stage 0: `condition`

Stage 1: `selection`