Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Explicit MFA Deny

Explicit MFA Deny

Back
Ida22740ec-fc1e-4c91-8de6-c29c6450ad00
RulenameExplicit MFA Deny
DescriptionUser explicitly denies MFA push, indicating that login was not expected and the account’s password may be compromised.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsAzureActiveDirectory
MicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml
Version1.0.6
Arm templatea22740ec-fc1e-4c91-8de6-c29c6450ad00.json
Deploy To Azure
let aadFunc = (tableName: string) {
    table(tableName)
    | where ResultType == 500121
    | where Status has "MFA Denied; user declined the authentication" or Status has "MFA denied; Phone App Reported Fraud"
    | extend Type = Type, PublicIP = IPAddress
    | extend
        Name = tostring(split(UserPrincipalName, '@', 0)[0]),
        UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])
};
let aadSignin = aadFunc("SigninLogs");
let dvcInfo = DeviceInfo
    | extend SensorHealthState = column_ifexists("SensorHealthState", "")
    | where OnboardingStatus == "Onboarded" and SensorHealthState == "Active"
    | project PublicIP, AadDeviceId;
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
| join kind=leftouter dvcInfo on PublicIP

entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserPrincipalName
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: PublicIP
    identifier: Address
- entityType: AzureResource
  fieldMappings:
  - columnName: ResourceId
    identifier: ResourceId
- entityType: CloudApplication
  fieldMappings:
  - columnName: AppDisplayName
    identifier: Name
  - columnName: AppId
    identifier: AppId
tactics:
- CredentialAccess
triggerOperator: gt
description: |
    'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
- connectorId: AzureActiveDirectory
  dataTypes:
  - AADNonInteractiveUserSignInLogs
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceInfo
relevantTechniques:
- T1110
version: 1.0.6
id: a22740ec-fc1e-4c91-8de6-c29c6450ad00
kind: Scheduled
query: |
  let aadFunc = (tableName: string) {
      table(tableName)
      | where ResultType == 500121
      | where Status has "MFA Denied; user declined the authentication" or Status has "MFA denied; Phone App Reported Fraud"
      | extend Type = Type, PublicIP = IPAddress
      | extend
          Name = tostring(split(UserPrincipalName, '@', 0)[0]),
          UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])
  };
  let aadSignin = aadFunc("SigninLogs");
  let dvcInfo = DeviceInfo
      | extend SensorHealthState = column_ifexists("SensorHealthState", "")
      | where OnboardingStatus == "Onboarded" and SensorHealthState == "Active"
      | project PublicIP, AadDeviceId;
  let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
  union isfuzzy=true aadSignin, aadNonInt
  | join kind=leftouter dvcInfo on PublicIP  
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml
queryFrequency: 1h
severity: Medium
name: Explicit MFA Deny
queryPeriod: 1h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a22740ec-fc1e-4c91-8de6-c29c6450ad00')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a22740ec-fc1e-4c91-8de6-c29c6450ad00')]",
      "properties": {
        "alertRuleTemplateName": "a22740ec-fc1e-4c91-8de6-c29c6450ad00",
        "customDetails": null,
        "description": "'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.'\n",
        "displayName": "Explicit MFA Deny",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "PublicIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "ResourceId",
                "identifier": "ResourceId"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "AppDisplayName",
                "identifier": "Name"
              },
              {
                "columnName": "AppId",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml",
        "query": "let aadFunc = (tableName: string) {\n    table(tableName)\n    | where ResultType == 500121\n    | where Status has \"MFA Denied; user declined the authentication\" or Status has \"MFA denied; Phone App Reported Fraud\"\n    | extend Type = Type, PublicIP = IPAddress\n    | extend\n        Name = tostring(split(UserPrincipalName, '@', 0)[0]),\n        UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet dvcInfo = DeviceInfo\n    | extend SensorHealthState = column_ifexists(\"SensorHealthState\", \"\")\n    | where OnboardingStatus == \"Onboarded\" and SensorHealthState == \"Active\"\n    | project PublicIP, AadDeviceId;\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter dvcInfo on PublicIP\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}