New Failed Sign in MACS Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-622519%22%20slang%3D%22en-US%22%3ENew%20Failed%20Sign%20in%20MACS%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-622519%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20get%20a%20new%20policy%20corrected%20so%20that%20it%20does%20not%20show%20so%20much%20noise.%20What%20I%20have%20done%20is%20created%20a%20policy%20that%20looks%20for%20failed%20sign%20in's.%20In%20the%20Activity%20section%20of%20the%20policy%20I%20have%20selected%20%22Failed%20Log%20on%22.%20However%20what%20I%20would%20really%20like%20to%20see%20is%20just%26nbsp%3B%22(Failure%20message%3A%20Strong%20Authentication%20(second%20factor)%20is%20required)%22%20messages.%20The%20idea%20is%20that%20we%20have%20all%20users%20in%20MFA%20so%20seeing%20an%20alert%20with%205%20failed%20MFA%20attempts%20in%205%20min%20should%20mean%20that%20either%20the%20user%20is%20having%20problem%20or%20someone%20else%20might%20be%20trying%20to%20access%20that%20account.%20We%20have%20the%20policy%20but%20it%20creates%20quite%20a%20few%20alerts%20as%20I%20cannot%20find%20the%20activity%20linked%20to%20Failed%20MFA%20attempts.%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20appreciated.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-622519%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-634014%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Failed%20Sign%20in%20MACS%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-634014%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F345538%22%20target%3D%22_blank%22%3E%40JasonNeasham%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EHi%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%20is%20this%20something%20you%20can%20speak%20to%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-678249%22%20slang%3D%22en-US%22%3ERE%3A%20New%20Failed%20Sign%20in%20MACS%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-678249%22%20slang%3D%22en-US%22%3EI%20never%20get%20failed%20log%20in%20attempts%2C%20is%20there%20something%20more%20to%20configure%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-678262%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20New%20Failed%20Sign%20in%20MACS%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-678262%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F356716%22%20target%3D%22_blank%22%3E%40parister%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELooping%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F94531%22%20target%3D%22_blank%22%3E%40Andrew%20Harris%20(AZURE%20SEC)%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Established Member

Hi Guys, 

 

I am trying to get a new policy corrected so that it does not show so much noise. What I have done is created a policy that looks for failed sign in's. In the Activity section of the policy I have selected "Failed Log on". However what I would really like to see is just "(Failure message: Strong Authentication (second factor) is required)" messages. The idea is that we have all users in MFA so seeing an alert with 5 failed MFA attempts in 5 min should mean that either the user is having problem or someone else might be trying to access that account. We have the policy but it creates quite a few alerts as I cannot find the activity linked to Failed MFA attempts. 

Any help would be appreciated. 

3 Replies

@JasonNeasham 

 

Hi, @Sebastien Molendijk is this something you can speak to?

 

I never get failed log in attempts, is there something more to configure?
www.000webhost.com