Forum Discussion
cklonger
Feb 24, 2021Copper Contributor
How to make Rule "Explicit MFA Deny" better?
Hello, We turned on this rules for weeks. But all the incidents from the rule seem to benign. The query is as follows: SigninLogs | where ResultType == 500121 | where Status has "MFA Denied;...
shainw
Microsoft
Mar 01, 2021Thanks for the question. Are you looking to see if there was a successful MFA before this? If so, you can check for success and likely the IP would be a good place to start. This hunting query shows how to use an anti-join to exclude previous logons - https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/new_locations_azuread_signin.yaml - it is based on location, but you can apply the same concept to IP. I would be careful about how far you look back. You may also want to compare AppDisplayName to make sure it is the same app and also look at MfaDetail to confirm the authmethod.