Forum Discussion
How to make Rule "Explicit MFA Deny" better?
Hello, We turned on this rules for weeks. But all the incidents from the rule seem to benign. The query is as follows: SigninLogs | where ResultType == 500121 | where Status has "MFA Denied;...
Try this query:
let aadFunc = (Table:string)
{
table(Table)
| where ResultType == 500121
| where Status has "MFA Denied; user declined the authentication"
| extend Type = Type
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
