Sign-in Failure Due to Conditional Access Requirements Not Met
Define a baseline threshold for failed sign-ins due to Conditional Access failures
Sigma rule (View on GitHub)
1title: Sign-in Failure Due to Conditional Access Requirements Not Met
2id: b4a6d707-9430-4f5f-af68-0337f52d5c42
3status: test
4description: Define a baseline threshold for failed sign-ins due to Conditional Access failures
5references:
6 - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
7author: Yochana Henderson, '@Yochana-H'
8date: 2022-06-01
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.initial-access
14 - attack.credential-access
15 - attack.t1110
16 - attack.t1078.004
17logsource:
18 product: azure
19 service: signinlogs
20detection:
21 selection:
22 ResultType: 53003
23 Resultdescription: Blocked by Conditional Access
24 condition: selection
25falsepositives:
26 - Service Account misconfigured
27 - Misconfigured Systems
28 - Vulnerability Scanners
29level: high
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- Bitbucket User Login Failure
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Denied
- Multifactor Authentication Interrupted
- Potential MFA Bypass Using Legacy Client Authentication