Forum Discussion

cklonger's avatar
cklonger
Copper Contributor
Feb 24, 2021

How to make Rule "Explicit MFA Deny" better?

Hello,

We turned on this rules for weeks. But all the incidents from the rule seem to benign.
The query is as follows:

SigninLogs
| where ResultType == 500121
| where Status has "MFA Denied; user declined the authentication"
| extend AccountCustomEntity = AlternateSignInName
| extend IPCustomEntity = IPAddress
| extend URLCustomEntity = ClientAppUsed

 

Our idea is check the previous login IP or deviceid of devicedetail.

Is there any other suggestion or comment?
Thanks a lot





 

  • Ash_Camp's avatar
    Ash_Camp
    Copper Contributor

    cklonger

     

    Try this query:

     

    let aadFunc = (Table:string)

    {
    table(Table)
    | where ResultType == 500121
    | where Status has "MFA Denied; user declined the authentication"
    | extend Type = Type
    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed
    };
    let aadSignin = aadFunc("SigninLogs");
    let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
    union isfuzzy=true aadSignin, aadNonInt

  • Thanks for the question. Are you looking to see if there was a successful MFA before this? If so, you can check for success and likely the IP would be a good place to start. This hunting query shows how to use an anti-join to exclude previous logons - https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/new_locations_azuread_signin.yaml - it is based on location, but you can apply the same concept to IP. I would be careful about how far you look back. You may also want to compare AppDisplayName to make sure it is the same app and also look at MfaDetail to confirm the authmethod.

Resources