Detectionhightest

Sign-in Failure Due to Conditional Access Requirements Not Met

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Yochana HendersonCreated Wed Jun 01b4a6d707-9430-4f5f-af68-0337f52d5c42cloud

Log Source

Azuresigninlogs

ProductAzure← raw: azure

Servicesigninlogs← raw: signinlogs

Detection Logic

detection:
    selection:
        ResultType: 53003
        Resultdescription: Blocked by Conditional Access
    condition: selection

False Positives

Service Account misconfigured

Misconfigured Systems

Vulnerability Scanners

References

MITRE ATT&CK

Tactics

Techniques

Sub-techniques

Rule Metadata

Rule ID

b4a6d707-9430-4f5f-af68-0337f52d5c42

Status

test

Level

high

Type

Detection

Created

Wed Jun 01

Author

Path

rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.credential-accessattack.t1110attack.t1078.004