Feb 23 2021 05:48 PM
Hello,
We turned on this rules for weeks. But all the incidents from the rule seem to benign.
The query is as follows:
SigninLogs
| where ResultType == 500121
| where Status has "MFA Denied; user declined the authentication"
| extend AccountCustomEntity = AlternateSignInName
| extend IPCustomEntity = IPAddress
| extend URLCustomEntity = ClientAppUsed
Our idea is check the previous login IP or deviceid of devicedetail.
Is there any other suggestion or comment?
Thanks a lot
Feb 28 2021 07:19 PM