Identity Anomalous Conditional Access Failures
Query
//Detect anomalies in the amount of conditional access failures by users in your tenant, then visualize those conditional access failures
//Data connector required for this query - Azure Active Directory - Signin Logs
//Starttime and endtime = which period of data to look at, i.e from 21 days ago until today.
let startdate=21d;
let enddate=1d;
//Timeframe = time period to break the data up into, i.e 1 hour blocks.
let timeframe=1h;
//Sensitivity = the lower the number the more sensitive the anomaly detection is, i.e it will find more anomalies, default is 1.5
let sensitivity=2;
//Threshold = set this to tune out low count anomalies, i.e when total failures for a user doubles from 1 to 2
let threshold=5;
let outlierusers=
SigninLogs
| where TimeGenerated between (startofday(ago(startdate))..startofday(ago(enddate)))
| where ResultType == "53003"
| project TimeGenerated, ResultType, UserPrincipalName
| make-series CAFailureCount=count() on TimeGenerated from startofday(ago(startdate)) to startofday(ago(enddate)) step timeframe by UserPrincipalName
| extend outliers=series_decompose_anomalies(CAFailureCount, sensitivity)
| mv-expand TimeGenerated, CAFailureCount, outliers
| where outliers == 1 and CAFailureCount > threshold
| distinct UserPrincipalName;
//Optionally visualize the anomalies
SigninLogs
| where TimeGenerated between (startofday(ago(startdate))..startofday(ago(enddate)))
| where ResultType == "53003"
| project TimeGenerated, ResultType, UserPrincipalName
| where UserPrincipalName in (outlierusers)
| summarize CAFailures=count()by UserPrincipalName, bin(TimeGenerated, timeframe)
| render timechart with (ytitle="Failure Count",title="Anomalous Conditional Access Failures")Explanation
This query detects anomalies in the amount of conditional access failures by users in your tenant and visualizes those failures. It uses the Azure Active Directory - Signin Logs data connector. The query looks at a specific period of data, starting from 21 days ago until today. The data is broken up into 1-hour blocks. The sensitivity parameter determines how sensitive the anomaly detection is, with a lower number indicating more sensitivity. The threshold parameter filters out low count anomalies. The query identifies outlier users with a higher number of failures and then visualizes those anomalies in a timechart.
Details

Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
DevicesIntuneUserAzure Active DirectorySignin LogsTimeGeneratedResultTypeUserPrincipalNameCAFailureCountoutliersthresholdstartdateenddatetimeframesensitivitystartofdayagomake-seriescountstepextendmv-expanddistinctwhereinsummarizebinrender
Operators
letstartdate=21denddate=1dtimeframe=1hsensitivity=2threshold=5outlierusers=SigninLogswhereTimeGeneratedbetweenstartofdayagostartdateenddateResultType=="53003"projectUserPrincipalNamemake-seriesCAFailureCountcount()onstepextendoutliers=series_decompose_anomaliesmv-expandoutliers1>thresholddistinctoptionallyvisualizesummarizeCAFailures=count()bybinrendertimechartwithytitle="Failure Count"title="Anomalous Conditional Access Failures"