Skip to content

Latest commit

 

History

History
29 lines (21 loc) · 1.37 KB

ConditionalAccess - ApplicationFailures.md

File metadata and controls

29 lines (21 loc) · 1.37 KB

CA Application SignIn Failures

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1078.004 Valid Accounts: Cloud Accounts https://attack.mitre.org/techniques/T1078/004/

Description

This KQL query lists all applications that trigger failed signin requests due to conditional access failures. This can indicate that a certain policy is not well configured and need to be changed in order for accounts to be able to access the application. On the other hand it can also be that the failed signins are valid credentials that adversaries have obtained and they are used to try and gain acces to certain applications in your environment. The CA policy will only block if the previous authentication requirements have already been met (e.g. username + password (+mfa)).

Risk

Adversaries have access to cloud credentials and are stopped due to CA policies.

References

Sentinel

SigninLogs
| where ResultType != 0
| where ResultDescription has "Conditional Access"
| summarize Total = count(), ResultTypes = make_set(ResultType), ResultDescriptions = make_set(ResultDescription) by AppDisplayName
| sort by Total