Query Details

CA User SignIn Failures

Conditional Access User Failures

Query

SigninLogs
| where ResultType != 0
| where ResultDescription has "Conditional Access"
| summarize Total = count(), ResultTypes = make_set(ResultType), ResultDescriptions = make_set(ResultDescription) by UserPrincipalName
| sort by Total

About this query

Explanation

This KQL query is designed to identify users who have experienced failed sign-in attempts due to Conditional Access (CA) policy failures. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the SigninLogs, which contains records of sign-in attempts.

  2. Filter for Failures: It filters out successful sign-ins by selecting only those entries where the ResultType is not equal to 0, indicating a failure.

  3. Focus on Conditional Access: It further narrows down the results to those failures specifically related to Conditional Access by checking if the ResultDescription contains the phrase "Conditional Access".

  4. Summarize Data: For each user (identified by UserPrincipalName), it counts the total number of failed sign-ins and collects the different types of result codes (ResultTypes) and descriptions (ResultDescriptions) associated with these failures.

  5. Sort Results: Finally, it sorts the users by the total number of failed sign-ins, likely to identify those with the most issues.

In essence, this query helps identify users who are frequently blocked by Conditional Access policies, which could indicate misconfigured policies or potential security threats, such as adversaries attempting to use stolen credentials.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 17, 2023

Tables

SigninLogs

Keywords

SigninLogsUserPrincipalNameResultTypeResultDescriptionConditionalAccess

Operators

wherehassummarizecountmake_setbysort

MITRE Techniques

Actions

GitHub