Merge pull request #1178 from secops-and-hops/master

MFA push deny detection

Detections/SigninLogs/ExplicitMFADeny.yaml

@@ -0,0 +1,24 @@
+id: a22740ec-fc1e-4c91-8de6-c29c6450ad00
+name: Explicit MFA Deny
+description: |
+  'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - SigninLogs
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess
+relevantTechniques:
+  - T1110
+query: |
+  SigninLogs
+  | where ResultType == 500121
+  | where Status has "MFA Denied; user declined the authentication"
+  | extend AccountCustomEntity = AlternateSignInName
+  | extend IPCustomEntity = IPAddress
+  | extend URLCustomEntity = ClientAppUsedlet