New Failed Sign in MACS Policy

Question

Hi Guys,&nbsp;&nbsp;I am trying to get a new policy corrected so that it does not show so much noise. What I have done is created a policy that looks for failed sign in's. In the Activity section of the policy I have selected "Failed Log on". However what I would really like to see is just&nbsp;"(Failure message: Strong Authentication (second factor) is required)" messages. The idea is that we have all users in MFA so seeing an alert with 5 failed MFA attempts in 5 min should mean that either the user is having problem or someone else might be trying to access that account. We have the policy but it creates quite a few alerts as I cannot find the activity linked to Failed MFA attempts.&nbsp;Any help would be appreciated.&nbsp;

valon_kolica · Answer

JasonNeasham&nbsp;
&nbsp;
Hi, Sebastien Molendijk is this something you can speak to?
&nbsp;

parister · Answer

I never get failed log in attempts, is there something more to configure?

valon_kolica · Answer

parister&nbsp;
Looping Andrew Harris (AZURE SEC)&nbsp;

Forum Discussion

New Failed Sign in MACS Policy

Share

Resources