Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Explicit MFA Deny

Explicit MFA Deny

Back
Ida22740ec-fc1e-4c91-8de6-c29c6450ad00
RulenameExplicit MFA Deny
DescriptionUser explicitly denies MFA push, indicating that login was not expected and the account’s password may be compromised.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsAzureActiveDirectory
MicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml
Version1.0.6
Arm templatea22740ec-fc1e-4c91-8de6-c29c6450ad00.json
Deploy To Azure
let aadFunc = (tableName: string) {
    table(tableName)
    | where ResultType == 500121
    | where Status has "MFA Denied; user declined the authentication" or Status has "MFA denied; Phone App Reported Fraud"
    | extend Type = Type, PublicIP = IPAddress
    | extend
        Name = tostring(split(UserPrincipalName, '@', 0)[0]),
        UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])
};
let aadSignin = aadFunc("SigninLogs");
let dvcInfo = DeviceInfo
    | extend SensorHealthState = column_ifexists("SensorHealthState", "")
    | where OnboardingStatus == "Onboarded" and SensorHealthState == "Active"
    | project PublicIP, AadDeviceId;
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
| join kind=leftouter dvcInfo on PublicIP

triggerOperator: gt
queryFrequency: 1h
description: |
    'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.'
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
- connectorId: AzureActiveDirectory
  dataTypes:
  - AADNonInteractiveUserSignInLogs
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceInfo
version: 1.0.6
queryPeriod: 1h
name: Explicit MFA Deny
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml
id: a22740ec-fc1e-4c91-8de6-c29c6450ad00
tactics:
- CredentialAccess
relevantTechniques:
- T1110
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: UserPrincipalName
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: PublicIP
  entityType: IP
- fieldMappings:
  - identifier: ResourceId
    columnName: ResourceId
  entityType: AzureResource
- fieldMappings:
  - identifier: Name
    columnName: AppDisplayName
  - identifier: AppId
    columnName: AppId
  entityType: CloudApplication
query: |
  let aadFunc = (tableName: string) {
      table(tableName)
      | where ResultType == 500121
      | where Status has "MFA Denied; user declined the authentication" or Status has "MFA denied; Phone App Reported Fraud"
      | extend Type = Type, PublicIP = IPAddress
      | extend
          Name = tostring(split(UserPrincipalName, '@', 0)[0]),
          UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])
  };
  let aadSignin = aadFunc("SigninLogs");
  let dvcInfo = DeviceInfo
      | extend SensorHealthState = column_ifexists("SensorHealthState", "")
      | where OnboardingStatus == "Onboarded" and SensorHealthState == "Active"
      | project PublicIP, AadDeviceId;
  let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
  union isfuzzy=true aadSignin, aadNonInt
  | join kind=leftouter dvcInfo on PublicIP  

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a22740ec-fc1e-4c91-8de6-c29c6450ad00')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a22740ec-fc1e-4c91-8de6-c29c6450ad00')]",
      "properties": {
        "alertRuleTemplateName": "a22740ec-fc1e-4c91-8de6-c29c6450ad00",
        "customDetails": null,
        "description": "'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.'\n",
        "displayName": "Explicit MFA Deny",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "PublicIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "ResourceId",
                "identifier": "ResourceId"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "AppDisplayName",
                "identifier": "Name"
              },
              {
                "columnName": "AppId",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml",
        "query": "let aadFunc = (tableName: string) {\n    table(tableName)\n    | where ResultType == 500121\n    | where Status has \"MFA Denied; user declined the authentication\" or Status has \"MFA denied; Phone App Reported Fraud\"\n    | extend Type = Type, PublicIP = IPAddress\n    | extend\n        Name = tostring(split(UserPrincipalName, '@', 0)[0]),\n        UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet dvcInfo = DeviceInfo\n    | extend SensorHealthState = column_ifexists(\"SensorHealthState\", \"\")\n    | where OnboardingStatus == \"Onboarded\" and SensorHealthState == \"Active\"\n    | project PublicIP, AadDeviceId;\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter dvcInfo on PublicIP\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}