Just wanted to start a conversation on what custom CAS policies you find most useful. There are plenty of activities to monitor, which ones have you considered worth while to monitor?

To kick it off, we have MFA. Since there isn't a supported policy to monitor failed MFA results, aka, an adversary got the password right, but they're failing at the MFA screen, I made my own. Whether it's actually encompassing everything I want it to or not, is up for debate.

Activity Type - Equals - Failed log on: DeviceAuth:reprocessTls + OrgIdWsFederation:federation + Login: reprocess

What custom CAS rules have you guys made?