This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

MFA Related Logs

Posted on 03-21-2024 03:33 AM
TPankaj
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi Team,

How can we check MFA logs/events  in Chronicle SIEM using O365 (log source).

1 2 71
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

It depends a bit on what you are looking for exactly. For example, some of the rules we've built in community are looking for logins into non-1P apps, or into anomalous apps, or other odd circumstances within Entra ID and using O365 logs.

https://github.com/chronicle/detection-rules/tree/main/community/microsoft/o365

Below is a quick and dirty rule I mocked up that could be used as a starting point depending upon where you are looking to go with your use case. This is dependent on having both a block login and an allow, but clearly could be augmented to just show blocks that never succeed (with a time window) or build thresholding into the condition, x number of block attempts etc.

rule o365_mfa_login_activity {

  meta:
    author = "Google Cloud Security"
    description = "Quick POC For Monitoring MFA Login Activity with O365 Logs"
    severity = "Medium"

  events:
    $block.metadata.event_type = "USER_LOGIN"
    $block.metadata.product_name = "Office 365"
    $block.metadata.vendor_name = "Microsoft"
    $block.security_result.action = "BLOCK"
    $block.additional.fields["error_number"] != "0"
    $block.network.session_id = $session
    $block.target.user.userid = $user

    $block.metadata.event_timestamp.seconds < $grant.metadata.event_timestamp.seconds 

    $grant.metadata.event_type = "USER_LOGIN"
    $grant.metadata.product_name = "Office 365"
    $grant.metadata.vendor_name = "Microsoft"
    $grant.security_result.action = "ALLOW"
    $grant.network.session_id = $session
    $grant.target.user.userid = $user
    //used to tune out specific users or process jobs you might not care about
    $grant.target.user.userid != /Sync_WIN-ADFS/
    
    //about.labels.key = "RequestType"
    //about.labels.value = "OAuth2:Authorize"

  match:
    $session over 10m

  outcome:
    $risk_score = 15
    $user_agent = array_distinct($grant.network.http.user_agent)
    $target_user = array_distinct($grant.target.user.userid)
    $requesting_ip = array_distinct($grant.principal.ip)
    $error_codes = array_distinct($block.additional.fields["error_number"])

  condition:
    $block and $grant
}

I would take a good look at this microsoft reference on error codes https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes as you develop your use case. There are a number of blocks that will occur due to very normal reasons, including strong authentication needed which is a prompt for the MFA. Additionally the about label key value for Request Type will show OAuth2 authorize which is normal but will also show CMSI and KMSI messages which are the keep me signed in popups that MS throws out there to users. All of these generate logs and we are capturing it but some testing and tuning will be needed depending on what you want to alert on.

I hope to add some additional anomalous login rules to the community so I'd welcome any specific ideas you have and will work with them in addition to some of the others I have brewing but it won't be for the next month or two.

 

Posted on --/--/---- --:-- AM
TPankaj
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Thank you @jstoner . Do we have to integrate Azure_AD logs in case we need detailed MFA logs ?

0 Likes