* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://www2.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Automating Response to Mu...

# Automating Response to Multi-Factor Authentication Threats

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-multi-factor-authentication-threats%2F)  
[](https://twitter.com/share?text=Automating+Response+to+Multi-Factor+Authentication+Threats&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-multi-factor-authentication-threats%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-multi-factor-authentication-threats%2F&title=Automating+Response+to+Multi-Factor+Authentication+Threats&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/automating-response-to-multi-factor-authentication-threats/&ts=markdown)  
\[\](mailto:?subject=Automating Response to Multi-Factor Authentication Threats)  
Link copied  
By [Tomer Haimof](https://www.paloaltonetworks.com/blog/author/tomer-haimof/?ts=markdown "Posts by Tomer Haimof")  
Jan 30, 2025  
4 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown)  
[MFA](https://www.paloaltonetworks.com/blog/tag/mfa/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[Security Automation](https://www.paloaltonetworks.com/blog/tag/security-automation/?ts=markdown)  
[XSIAM](https://www.paloaltonetworks.com/blog/tag/xsiam/?ts=markdown)

## **Introduction**

The [Cortex XSIAM Response and Remediation Pack](https://cortex.marketplace.pan.dev/marketplace/details/CortexResponseAndRemediation/) delivers a powerful set of automated playbooks designed to streamline incident response and remediation. This blog highlights the *Compromised Accounts - User Rejected Numerous SSO MFA Attempts* playbook which addresses threats tied to repeated multi-factor authentication (MFA) rejection attempts.

## **Threat Overview**

Repeatedly rejected MFA attempts can signify malicious activity, such as attackers attempting to gain unauthorized access to user accounts. This pattern is often associated with brute force or credential-stuffing attacks, where adversaries try multiple login attempts until successful. Moreover, such activity may involve suspicious IPs or geolocations, potentially indicating a compromised account or insider threat.

This type of behavior necessitates prompt investigation and remediation to safeguard sensitive organizational data and prevent unauthorized access.

## **Purpose of the Playbook**

The "Compromised Accounts - User Rejected Numerous SSO MFA Attempts" playbook is designed to:

* Investigate alerts related to unusual MFA rejection patterns.
* Identify malicious intent through IP reputation analysis, risk scoring, and login behavior.
* Automate response actions to contain and remediate threats effectively.

### Alerts Addressed by the Playbook

This playbook addresses the following alerts:

* "User rejected numerous SSO MFA attempts."
* "Multiple SSO MFA attempts were rejected by a user with suspicious characteristics."

## **Stages of the Playbook**

The playbook comprises several stages to ensure thorough investigation and remediation:

**Triage:**

* * Checks the reputation of the IP address associated with the MFA attempts.
  
  * Gather related login events for further analysis.
    
    ![Fig 1: Sequence in playbook showing IP reputation checks and data collection](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333634-1.png)
    Fig 1: Sequence in playbook showing IP reputation checks and data collection

**Early Containment:**

* * If the IP address is identified as malicious, blocks the IP to prevent further unauthorized activity.
  * Continues with the investigation in parallel.

![Fig 2: Sequence of playbook showing early containment actions](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333634-2.png)
Fig 2: Sequence of playbook showing early containment actions

**Investigation:**

* * Assesses the user's risk score to identify potentially compromised accounts.
  * Checks for excessive invalid credential attempts, indicating brute force or credential-stuffing activity.
  * Analyzes Okta logs to verify whether the source IP is flagged as malicious by Okta's threat intelligence.
  * Reviews the number of MFA rejections to detect abnormal patterns.
  * Identifies suspicious user agent behaviors, such as new or uncommon user agents, that may suggest malicious activity.
  * Investigate previous failed Okta login attempts to uncover patterns of unauthorized access.

![Fig 3: Sequence of playbook assessing risk and potential malicious behaviors](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333634-3.png)
Fig 3: Sequence of playbook assessing risk and potential malicious behaviors

**Containment:**

* * If suspicious activity is confirmed, perform the following actions:
    * Clears the user's active sessions and expires their password to prevent further unauthorized access.
    * For confirmed successful login attempts, assign a manual task for an analyst to review and decide on additional actions.

![Fig 4: Sequence of playbook addressing remediation and containment actions](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333634-4.png)
Fig 4: Sequence of playbook addressing remediation and containment actions

## **Security Challenges Addressed**

This playbook addresses key challenges in responding to suspicious MFA rejection patterns and speeds response times by automating actions and tasks:

* **Early Threat Detection:** Quickly identifies potential account compromise scenarios.
* **Automated Containment:** Blocks malicious IPs and clears user sessions to mitigate threats effectively.
* **Comprehensive Investigation:** Aggregates evidence and provides detailed insights into user behavior and associated risks.
* **Adaptive Response:** Combines automated and manual actions to ensure flexible and effective remediation.

## **Conclusion**

Suspicious MFA rejection patterns demand immediate attention to prevent unauthorized access and potential data breaches. The "Compromised Accounts - User Rejected Numerous SSO MFA Attempts" playbook equips SOC teams with the tools to detect, investigate, and remediate these threats efficiently. By leveraging the Cortex XSIAM Response and Remediation Pack, organizations can enhance their incident response capabilities and protect sensitive resources.

## **Learn More**

You might be interested in other playbooks in this pack such as [Automating Response to Unauthorized Email Forwarding Activity in Google Workspace](https://www.paloaltonetworks.com/blog/security-operations/automating-response-to-unauthorized-email-forwarding-activity-in-google-workspace/), [Automate Response to Event Log Clearing Alerts with Cortex XSIAM](https://www.paloaltonetworks.com/blog/security-operations/automate-response-to-event-log-clearing-alerts-with-cortex-xsiam/), and [Handling Successful SSO Sign-ins from Tor](https://www.paloaltonetworks.com/blog/security-operations/handling-successful-sso-sign-ins-from-tor/).

Explore more about the Cortex XSIAM Response and Remediation Pack and its advanced playbooks on the[Cortex Marketplace](https://cortex.marketplace.pan.dev/marketplace/details/CortexResponseAndRemediation/).

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Rapid Response to CVE-2025-31324: Mitigating SAP NetWeaver Visual Composer Exploitation](https://www2.paloaltonetworks.com/blog/security-operations/rapid-response-to-cve-2025-31324-mitigating-sap-netweaver-visual-composer-exploitation/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Creating an Automated Workflow for Account Lockout Resolution](https://www2.paloaltonetworks.com/blog/security-operations/creating-an-automated-workflow-for-account-lockout-resolution/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Unkategorisiert](https://www.paloaltonetworks.com/blog/category/unkategorisiert/?lang=ja&ts=markdown)

[#### Automating Response to Suspicious Process Executions](https://www2.paloaltonetworks.com/blog/security-operations/automating-response-to-suspicious-process-executions/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Automating Response to Suspicious SaaS Access From a Tor Exit Node](https://www2.paloaltonetworks.com/blog/security-operations/automating-response-to-suspicious-saas-access-from-a-tor-exit-node/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Automating Response to Unauthorized User Privilege Escalations Using PowerShell Commands](https://www2.paloaltonetworks.com/blog/security-operations/automating-response-to-unauthorized-user-privilege-escalations-using-powershell-commands/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Automating Response to Unauthorized Email Forwarding Activity in Google Workspace](https://www2.paloaltonetworks.com/blog/security-operations/automating-response-to-unauthorized-email-forwarding-activity-in-google-workspace/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language