Query Details

Unusual Azure AD Conditional Access Failures

Unusual AAD Conditional Access Failures

Query

BehaviorAnalytics
| where ActivityInsights.UnusualNumberOfAADConditionalAccessFailures == "True"
| extend UserPrincipalName = tolower(UserPrincipalName)
| join kind=inner (
    union SigninLogs, AADNonInteractiveUserSignInLogs
    | where ConditionalAccessStatus == "failure"
    | mv-expand ConditionalAccessPolicies_dynamic
    | extend ConditionalAccessResult = parse_json(ConditionalAccessPolicies_dynamic.result)
    | extend ConditionalAccessName = parse_json(ConditionalAccessPolicies_dynamic.displayName)
    | extend ConditionalAccessId = parse_json(ConditionalAccessPolicies_dynamic.id)
    | extend ConditionalAccessEnforcedControl = parse_json(tostring(ConditionalAccessPolicies_dynamic.enforcedGrantControls))
    | extend SourceIPAddress = IPAddress
    | extend UserPrincipalName = tolower(UserPrincipalName)
    | where ConditionalAccessResult == "failure"
    | project TimeGenerated, UserDisplayName, UserPrincipalName, SourceIPAddress, tostring(ConditionalAccessName), tostring(ConditionalAccessId), tostring(ConditionalAccessResult), tostring(ConditionalAccessEnforcedControl), ResultType, ResultDescription, CorrelationId, IPAddress, AADTenantId
) on UserPrincipalName, SourceIPAddress
| distinct UserDisplayName, UserPrincipalName, ConditionalAccessName, ConditionalAccessId, ConditionalAccessEnforcedControl, ResultType, ResultDescription, CorrelationId, AADTenantId, IPAddress
| summarize count() by UserDisplayName, UserPrincipalName, ConditionalAccessName, ConditionalAccessId, ConditionalAccessEnforcedControl, ResultType, ResultDescription, AADTenantId, IPAddress
| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress

Explanation

This query is designed to identify unusual numbers of Azure AD Conditional Access failures by using Behavior Analytics information in Microsoft Sentinel. It correlates these failures with sign-in logs and provides information about the Conditional Access policy that may be blocking access. The query frequency is set to once a day, and the query period is also one day. The severity of this query is medium. The relevant techniques for this query are InitialAccess and Persistence. The query filters the BehaviorAnalytics data to find unusual numbers of Conditional Access failures, then joins it with the SigninLogs and AADNonInteractiveUserSignInLogs data. It extracts relevant information such as user details, source IP address, Conditional Access policy details, and result information. The query then summarizes the data and maps it to the Account and IP entities.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

BehaviorAnalyticsSigninLogsAADNonInteractiveUserSignInLogs

Keywords

BehaviorAnalyticsSigninLogsAADNonInteractiveUserSignInLogsConditionalAccessStatusConditionalAccessPolicies_dynamicUserPrincipalNameIPAddressConditionalAccessResultConditionalAccessNameConditionalAccessIdConditionalAccessEnforcedControlSourceIPAddressTimeGeneratedUserDisplayNameResultTypeResultDescriptionCorrelationIdAADTenantIdFullNameAddress

Operators

whereextendjoinunionmv-expandparse_jsonprojectdistinctsummarizecount()byon

Severity

Medium

Tactics

InitialAccessPersistence

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub