Try in Splunk Security Cloud


This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2023-12-20
  • Author: Mauricio Velazco, Splunk
  • ID: d0895c20-de71-4fd2-b56c-3fcdb888eba1




ID Technique Tactic
T1621 Multi-Factor Authentication Request Generation Credential Access
Kill Chain Phase
  • Exploitation
  • DE.CM
  • CIS 10
`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" 
| rename properties.* as * 
| search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication" 
| bucket span=10m _time 
| stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent 
| where count > 9 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_multiple_denied_mfa_requests_for_user_filter`


The SPL above uses the following Macros:

:information_source: azure_ad_multiple_denied_mfa_requests_for_user_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • category
  • properties.status.errorCode
  • properties.status.additionalDetails
  • user
  • properties.appDisplayName
  • user_agent

How To Implement

You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase ( You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.

Known False Positives

Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed.

Associated Analytic Story


Risk Score Impact Confidence Message
54.0 60 90 User $user$ denied more than 9 MFA requests in a timespan of 10 minutes.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2