Unusual AAD Conditional Access Failures

id: dccb2dd9-6638-47dc-b552-e8eef13cfd3f name: Unusual Azure AD Conditional Access Failures description: | 'Uses Behaviour Analytics (UEBA) information in Microsoft Sentinel and correlates unusual numbers of Conditional Access failures with sign-in logs. Result shows the Conditional Access policy which could be the reason for blocking access.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - SigninLogs - BehaviorAnalytics queryFrequency: 1d queryPeriod: 1d triggerOperator: gt triggerThreshold: 0 tactics: - InitialAccess - Persistence relevantTechniques: - T1078 - T1098 query: | BehaviorAnalytics | where ActivityInsights.UnusualNumberOfAADConditionalAccessFailures == "True" | extend UserPrincipalName = tolower(UserPrincipalName) | join kind=inner ( union SigninLogs, AADNonInteractiveUserSignInLogs | where ConditionalAccessStatus == "failure" | mv-expand ConditionalAccessPolicies_dynamic | extend ConditionalAccessResult = parse_json(ConditionalAccessPolicies_dynamic.result) | extend ConditionalAccessName = parse_json(ConditionalAccessPolicies_dynamic.displayName) | extend ConditionalAccessId = parse_json(ConditionalAccessPolicies_dynamic.id) | extend ConditionalAccessEnforcedControl = parse_json(tostring(ConditionalAccessPolicies_dynamic.enforcedGrantControls)) | extend SourceIPAddress = IPAddress | extend UserPrincipalName = tolower(UserPrincipalName) | where ConditionalAccessResult == "failure" | project TimeGenerated, UserDisplayName, UserPrincipalName, SourceIPAddress, tostring(ConditionalAccessName), tostring(ConditionalAccessId), tostring(ConditionalAccessResult), tostring(ConditionalAccessEnforcedControl), ResultType, ResultDescription, CorrelationId, IPAddress, AADTenantId ) on UserPrincipalName, SourceIPAddress | distinct UserDisplayName, UserPrincipalName, ConditionalAccessName, ConditionalAccessId, ConditionalAccessEnforcedControl, ResultType, ResultDescription, CorrelationId, AADTenantId, IPAddress | summarize count() by UserDisplayName, UserPrincipalName, ConditionalAccessName, ConditionalAccessId, ConditionalAccessEnforcedControl, ResultType, ResultDescription, AADTenantId, IPAddress | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress entityMappings: - entityType: Account fieldMappings: - identifier: FullName columnName: AccountCustomEntity - entityType: IP fieldMappings: - identifier: Address columnName: IPCustomEntity version: 1.0.0

Explanation

This query is designed to identify unusual numbers of Azure AD Conditional Access failures by using Behavior Analytics information in Microsoft Sentinel. It correlates these failures with sign-in logs and provides information about the Conditional Access policy that may be blocking access. The query frequency is set to once a day, and the query period is also one day. The severity of this query is medium. The relevant techniques for this query are InitialAccess and Persistence. The query filters the BehaviorAnalytics data to find unusual numbers of Conditional Access failures, then joins it with the SigninLogs and AADNonInteractiveUserSignInLogs data. It extracts relevant information such as user details, source IP address, Conditional Access policy details, and result information. The query then summarizes the data and maps it to the Account and IP entities.

Details

Thomas Naunheim

Released: August 23, 2023

Tables

BehaviorAnalyticsSigninLogsAADNonInteractiveUserSignInLogs

Keywords

BehaviorAnalytics,SigninLogs,AADNonInteractiveUserSignInLogs,ConditionalAccessStatus,ConditionalAccessPolicies_dynamic,UserPrincipalName,IPAddress,ConditionalAccessResult,ConditionalAccessName,ConditionalAccessId,ConditionalAccessEnforcedControl,SourceIPAddress,TimeGenerated,UserDisplayName,ResultType,ResultDescription,CorrelationId,AADTenantId,FullName,Address

Operators

whereextendjoinunionmv-expandparse_jsonprojectdistinctsummarizecount()byon

KQL Search