Query Details

CA Application SignIn Failures

Conditional Access Application Failures

Query

SigninLogs
| where ResultType != 0
| where ResultDescription has "Conditional Access"
| summarize Total = count(), ResultTypes = make_set(ResultType), ResultDescriptions = make_set(ResultDescription) by AppDisplayName
| sort by Total

About this query

CA Application SignIn Failures

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1078.004Valid Accounts: Cloud Accountshttps://attack.mitre.org/techniques/T1078/004/

Description

This KQL query lists all applications that trigger failed signin requests due to conditional access failures. This can indicate that a certain policy is not well configured and need to be changed in order for accounts to be able to access the application. On the other hand it can also be that the failed signins are valid credentials that adversaries have obtained and they are used to try and gain acces to certain applications in your environment. The CA policy will only block if the previous authentication requirements have already been met (e.g. username + password (+mfa)).

Risk

Adversaries have access to cloud credentials and are stopped due to CA policies.

References

Sentinel

Explanation

This KQL query is designed to identify applications that have experienced failed sign-in attempts due to conditional access (CA) policy issues. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the SigninLogs table, which contains records of sign-in attempts.

  2. Filter Criteria:

    • It filters out successful sign-ins by selecting only those records where the ResultType is not equal to 0 (indicating a failure).
    • It further narrows down the results to those failures related to "Conditional Access" by checking if the ResultDescription contains this term.
  3. Aggregation:

    • For each application (AppDisplayName), it counts the total number of failed sign-in attempts.
    • It also collects unique ResultType values and ResultDescription messages associated with these failures.
  4. Sorting:

    • The results are sorted by the total number of failed sign-ins in ascending order.

Purpose: This query helps identify applications where users are unable to sign in due to CA policy failures. This could indicate misconfigured policies or potential unauthorized access attempts using valid credentials. By reviewing these results, administrators can adjust CA policies to ensure legitimate access while maintaining security against unauthorized attempts.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 17, 2023

Tables

SigninLogs

Keywords

SigninLogsAppDisplayNameResultTypeResultDescriptionTotalResultTypesResultDescriptions

Operators

SigninLogswhere!=hassummarizecount()make_set()bysort by

MITRE Techniques

Actions

GitHub