Identity Multiple MFA Failures Priv Users

//Detect when a user who holds an Azure AD privilege role fails MFA multiple times in a short time period. This example uses 2 failures within 20 minutes. //Data connector required for this query - Azure Active Directory - Signin Logs //Data connector required for this query - Microsoft Sentinel UEBA let privusers= IdentityInfo | where TimeGenerated > ago(21d) | summarize arg_max(TimeGenerated, *) by AccountUPN | where isnotempty(AssignedRoles) | where AssignedRoles != "[]" | distinct AccountUPN; SigninLogs | where TimeGenerated > ago(1d) | where ResultType == "500121" | where UserPrincipalName in (privusers) | mv-expand todynamic(AuthenticationDetails) | extend ['MFA Failure Type'] = tostring(parse_json(AuthenticationDetails).authenticationStepResultDetail) | where ['MFA Failure Type'] startswith "MFA denied" | summarize ['MFA Failure Count']=count(), ['MFA Failure Reasons']=make_list(['MFA Failure Type']) by UserPrincipalName, bin(TimeGenerated, 20m) | where ['MFA Failure Count'] >= 2

Explanation

This query is used to detect when a user with an Azure AD privilege role fails multi-factor authentication (MFA) multiple times within a short time period. The query looks at the sign-in logs and identifies users who have failed MFA (result type 500121) and have a privilege role assigned. It then expands the authentication details and filters for MFA failure types starting with "MFA denied". The query summarizes the count of MFA failures and the reasons for the failures by user and time period (binning in 20-minute intervals). Finally, it filters for users who have had at least 2 MFA failures.

Details

Matt Zorich

Released: June 17, 2022

Tables

IdentityInfoSigninLogs

Keywords

AzureAD,MFA,PrivilegeRole,SigninLogs,UserPrincipalName,AuthenticationDetails,MFAFailureType,MFAFailureCount,MFAFailureReasons,TimeGenerated

Operators

wheresummarizearg_maxbyisnotemptywherewheredistinctwheremv-expandextendwheresummarizecountmake_listbybinwhere

KQL Search