Rules Contributing to Microsoft Entra Sign-in Failure Alert

The following rules are used to identify suspicious Microsoft Entra sign-in failures. Any one or more of these will trigger the Microsoft Entra Sign-in Failure Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Sign-in Failure Due to Conditional Access Requirements Not Met

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Rule ID

azure_3

Query

{'selection': {'ResultType': 53003}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,b4a6d707-9430-4f5f-af68-0337f52d5c42

Author: Yochana Henderson, '@Yochana-H'

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, INITIAL_ACCESS, T1078.004, T1110

References

Severity

75

Suppression Logic Based On

  • srcip_username
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/06/01 high

  • Service Account misconfigured

  • Misconfigured Systems

  • Vulnerability Scanners

Multifactor Authentication Denied

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Rule ID

azure_4

Query

{'selection': {'status_additionalDetails|contains': 'MFA denied'}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,e40f4962-b02b-4192-9bfe-245f7ece1f99

Author: AlertIQ

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, INITIAL_ACCESS, T1078.004, T1110

References

Severity

50

Suppression Logic Based On

  • srcip_username
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/03/24 medium

  • Users actually login but mis-click into the Deny button when MFA prompt.

Multifactor Authentication Interrupted

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Rule ID

azure_5

Query

{'selection_50074': {'ResultType': 50074}, 'selection_500121': {'ResultType': 500121}, 'condition': '1 of selection_*'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,5496ff55-42ec-4369-81cb-00f417029e25

Author: AlertIQ

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, INITIAL_ACCESS, T1078.004, T1110

References

Severity

50

Suppression Logic Based On

  • srcip_username
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2021/10/10 medium

  • Unknown

Account Lockout

Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.

Rule ID

azure_6

Query

{'selection': {'ResultType': 50053}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a

Author: AlertIQ

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, T1110

References

Severity

50

Suppression Logic Based On

  • srcip_username
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/10/10 medium

  • Unknown