You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are a number of Azure MFA failure based detections utilizing properties.status.errorCode=500121 as a means of detecting one or more MFA auth failures. There's nothing wrong with this in of itself, however upon noticing a greater number of notables than anticipated with these detections enabled and performing some testing and research I have found the following from here:
Multifactor authentication: When a user signs in with MFA, several separate MFA events are actually taking place. For example, if a user enters the wrong validation code or doesn't respond in time, more MFA events are sent to reflect the latest status of the sign-in attempt. These sign-in events appear as one line item in the Microsoft Entra sign-in logs. That same sign-in event in Azure Monitor, however, appears as multiple line items. These events all have the same correlationId.
Note the last sentence.
Testing confirms that failed MFA does indeed result in more than one event for a single ocurrence of MFA auth. In addition to the above statement, it turns out that the correlationId can span multiple MFA auth attempts, however the originalRequestId field is unique for each attempt.
As an example of what this should look like, using Azure AD Authentication Failed During MFA Challenge as a basis for an updated search:
`azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121
| rename properties.* as *
| stats count, min(_time) as firstTime, max(_time) as lastTime, values(user) as user, values(src_ip) as src_ip, values(mfaDetail.authMethod) as mfa_method, values(status.additionalDetails) as status.additionalDetails, values(reason) as reason, values(appDisplayName) as appDisplayName, values(user_agent) as user_agent by correlationId, originalRequestId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(times)`
| `azure_ad_authentication_failed_during_mfa_challenge_filter`
correlationId can be thought of as the login session, and originalRequestId the MFA attempt. count is effectively useless above, but is left in to hightlight the fact that multiple events are produced for each failed attempt.
It's also worth noting that there is inconsistent data returned by Azure AD. Multiple MFA failures .e.g. MFA denied; user declined the authentication can yield inconsistent/missing values in status.additionalDetails between attempts, and either the objectid or actual username (or both!) for the user field.
App Version:
ESCU: 4.40.0
The text was updated successfully, but these errors were encountered:
That's a great suggestion @0xC0FFEEEE! Do you mind creating a PR with these fixes and I can help you get started with it Also, please add your name to the author section. I think it would be a great contribution!
There are a number of Azure MFA failure based detections utilizing
properties.status.errorCode=500121
as a means of detecting one or more MFA auth failures. There's nothing wrong with this in of itself, however upon noticing a greater number of notables than anticipated with these detections enabled and performing some testing and research I have found the following from here:Note the last sentence.
Testing confirms that failed MFA does indeed result in more than one event for a single ocurrence of MFA auth. In addition to the above statement, it turns out that the
correlationId
can span multiple MFA auth attempts, however theoriginalRequestId
field is unique for each attempt.As an example of what this should look like, using
Azure AD Authentication Failed During MFA Challenge
as a basis for an updated search:correlationId
can be thought of as the login session, andoriginalRequestId
the MFA attempt.count
is effectively useless above, but is left in to hightlight the fact that multiple events are produced for each failed attempt.It's also worth noting that there is inconsistent data returned by Azure AD. Multiple MFA failures .e.g.
MFA denied; user declined the authentication
can yield inconsistent/missing values instatus.additionalDetails
between attempts, and either the objectid or actual username (or both!) for the user field.App Version:
The text was updated successfully, but these errors were encountered: