Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Explicit MFA Deny

Explicit MFA Deny

Back
Ida22740ec-fc1e-4c91-8de6-c29c6450ad00
RulenameExplicit MFA Deny
DescriptionUser explicitly denies MFA push, indicating that login was not expected and the account’s password may be compromised.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsAzureActiveDirectory
MicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml
Version1.0.6
Arm templatea22740ec-fc1e-4c91-8de6-c29c6450ad00.json
Deploy To Azure
let aadFunc = (tableName: string) {
    table(tableName)
    | where ResultType == 500121
    | where Status has "MFA Denied; user declined the authentication" or Status has "MFA denied; Phone App Reported Fraud"
    | extend Type = Type, PublicIP = IPAddress
    | extend
        Name = tostring(split(UserPrincipalName, '@', 0)[0]),
        UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])
};
let aadSignin = aadFunc("SigninLogs");
let dvcInfo = DeviceInfo
    | extend SensorHealthState = column_ifexists("SensorHealthState", "")
    | where OnboardingStatus == "Onboarded" and SensorHealthState == "Active"
    | project PublicIP, AadDeviceId;
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
| join kind=leftouter dvcInfo on PublicIP

relevantTechniques:
- T1110
queryPeriod: 1h
tactics:
- CredentialAccess
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - AADNonInteractiveUserSignInLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - DeviceInfo
  connectorId: MicrosoftThreatProtection
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: UserPrincipalName
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: PublicIP
  entityType: IP
- fieldMappings:
  - identifier: ResourceId
    columnName: ResourceId
  entityType: AzureResource
- fieldMappings:
  - identifier: Name
    columnName: AppDisplayName
  - identifier: AppId
    columnName: AppId
  entityType: CloudApplication
name: Explicit MFA Deny
status: Available
query: |
  let aadFunc = (tableName: string) {
      table(tableName)
      | where ResultType == 500121
      | where Status has "MFA Denied; user declined the authentication" or Status has "MFA denied; Phone App Reported Fraud"
      | extend Type = Type, PublicIP = IPAddress
      | extend
          Name = tostring(split(UserPrincipalName, '@', 0)[0]),
          UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])
  };
  let aadSignin = aadFunc("SigninLogs");
  let dvcInfo = DeviceInfo
      | extend SensorHealthState = column_ifexists("SensorHealthState", "")
      | where OnboardingStatus == "Onboarded" and SensorHealthState == "Active"
      | project PublicIP, AadDeviceId;
  let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
  union isfuzzy=true aadSignin, aadNonInt
  | join kind=leftouter dvcInfo on PublicIP  
queryFrequency: 1h
id: a22740ec-fc1e-4c91-8de6-c29c6450ad00
severity: Medium
description: |
    'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.'
version: 1.0.6
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml
kind: Scheduled
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a22740ec-fc1e-4c91-8de6-c29c6450ad00')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a22740ec-fc1e-4c91-8de6-c29c6450ad00')]",
      "properties": {
        "alertRuleTemplateName": "a22740ec-fc1e-4c91-8de6-c29c6450ad00",
        "customDetails": null,
        "description": "'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.'\n",
        "displayName": "Explicit MFA Deny",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "PublicIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "ResourceId",
                "identifier": "ResourceId"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "AppDisplayName",
                "identifier": "Name"
              },
              {
                "columnName": "AppId",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml",
        "query": "let aadFunc = (tableName: string) {\n    table(tableName)\n    | where ResultType == 500121\n    | where Status has \"MFA Denied; user declined the authentication\" or Status has \"MFA denied; Phone App Reported Fraud\"\n    | extend Type = Type, PublicIP = IPAddress\n    | extend\n        Name = tostring(split(UserPrincipalName, '@', 0)[0]),\n        UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet dvcInfo = DeviceInfo\n    | extend SensorHealthState = column_ifexists(\"SensorHealthState\", \"\")\n    | where OnboardingStatus == \"Onboarded\" and SensorHealthState == \"Active\"\n    | project PublicIP, AadDeviceId;\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter dvcInfo on PublicIP\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}