CA Application SignIn Failures
Conditional Access Application Failures
Query
SigninLogs
| where ResultType != 0
| where ResultDescription has "Conditional Access"
| summarize Total = count(), ResultTypes = make_set(ResultType), ResultDescriptions = make_set(ResultDescription) by AppDisplayName
| sort by TotalAbout this query
CA Application SignIn Failures
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1078.004 | Valid Accounts: Cloud Accounts | https://attack.mitre.org/techniques/T1078/004/ |
Description
This KQL query lists all applications that trigger failed signin requests due to conditional access failures. This can indicate that a certain policy is not well configured and need to be changed in order for accounts to be able to access the application. On the other hand it can also be that the failed signins are valid credentials that adversaries have obtained and they are used to try and gain acces to certain applications in your environment. The CA policy will only block if the previous authentication requirements have already been met (e.g. username + password (+mfa)).
Risk
Adversaries have access to cloud credentials and are stopped due to CA policies.
References
- https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-consumer-accounts
- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/
Sentinel
Explanation
This KQL query is designed to identify applications that have experienced failed sign-in attempts due to conditional access (CA) policy issues. Here's a simple breakdown of what the query does:
-
Data Source: It uses the
SigninLogstable, which contains records of sign-in attempts. -
Filter Criteria:
- It filters out successful sign-ins by selecting only those records where the
ResultTypeis not equal to 0 (indicating a failure). - It further narrows down the results to those failures related to "Conditional Access" by checking if the
ResultDescriptioncontains this term.
- It filters out successful sign-ins by selecting only those records where the
-
Aggregation:
- For each application (
AppDisplayName), it counts the total number of failed sign-in attempts. - It also collects unique
ResultTypevalues andResultDescriptionmessages associated with these failures.
- For each application (
-
Sorting:
- The results are sorted by the total number of failed sign-ins in ascending order.
Purpose: This query helps identify applications where users are unable to sign in due to CA policy failures. This could indicate misconfigured policies or potential unauthorized access attempts using valid credentials. By reviewing these results, administrators can adjust CA policies to ensure legitimate access while maintaining security against unauthorized attempts.
