Identity User Reported Suspicious MFA
Query
//Detect when a user reports suspicious MFA activity via the updated user risk integration
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where ResultType == 500121
| mv-expand todynamic(AuthenticationDetails)
| extend AuthResultDetail=AuthenticationDetails.authenticationStepResultDetail
| where AuthResultDetail == "SuspiciousActivityReported"
| project TimeGenerated, UserPrincipalName, ResultType, AppDisplayName, AuthResultDetail, Location, IPAddress, UserAgent, CorrelationId
//These events are also written to Azure AD Identity Protection
//Data connector required for this query - Azure Active Directory Identity Protection
AADUserRiskEvents
| where RiskEventType == "userReportedSuspiciousActivity"
| project TimeGenerated, UserPrincipalName, DetectionTimingType, RiskEventType, RiskStateExplanation
This query is used to detect when a user reports suspicious activity related to multi-factor authentication (MFA). It requires two data connectors: Azure Active Directory - Signin Logs and Azure Active Directory Identity Protection.
In the first part of the query, it filters the SigninLogs for events with a ResultType of 500121, which indicates a failed MFA attempt. It then expands the AuthenticationDetails field and filters for events where the AuthResultDetail is "SuspiciousActivityReported". The selected fields are TimeGenerated, UserPrincipalName, ResultType, AppDisplayName, AuthResultDetail, Location, IPAddress, UserAgent, and CorrelationId.
In the second part of the query, it filters the AADUserRiskEvents for events with a RiskEventType of "userReportedSuspiciousActivity". The selected fields are TimeGenerated, UserPrincipalName, DetectionTimingType, RiskEventType, and RiskState.
Both sets of events are written to Azure AD Identity Protection.
Details

Matt Zorich
Released: May 2, 2023
Tables
Keywords
Operators