Sign-in Failure Due to Conditional Access Requirements Not Met
Define a baseline threshold for failed sign-ins due to Conditional Access failures
Sigma rule (View on GitHub)
1title: Sign-in Failure Due to Conditional Access Requirements Not Met
2id: b4a6d707-9430-4f5f-af68-0337f52d5c42
3status: test
4description: Define a baseline threshold for failed sign-ins due to Conditional Access failures
5references:
6 - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts
7author: Yochana Henderson, '@Yochana-H'
8date: 2022/06/01
9tags:
10 - attack.initial_access
11 - attack.credential_access
12 - attack.t1110
13 - attack.t1078.004
14logsource:
15 product: azure
16 service: signinlogs
17detection:
18 selection:
19 ResultType: 53003
20 Resultdescription: Blocked by Conditional Access
21 condition: selection
22falsepositives:
23 - Service Account misconfigured
24 - Misconfigured Systems
25 - Vulnerability Scanners
26level: high
References
Related rules
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Interrupted
- Successful Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Denied
- User Access Blocked by Azure Conditional Access