This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Need help with MFA usecase for adding new device or deleting a device

Posted on 03-22-2024 04:08 AM
MisbaKhan0295
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Team,

I have integrated O365 to chronicle SIEM and want to create a usecase for MFA activities. Specifically, if a user adds new device, deletes a device or deletes MFA then it should trigger alert.

Can it be done using O365 los only or do I have to integrate Azure AD as well. 

is these any usecase available????

1 2 87
2 REPLIES 2

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Hello, 

As I am not certain what logs contain that kind of information - I cannot tell you exactly how to create a detection rule for that specific use case.  

This would be something you would need to investigate with Microsoft however we do have a good amount of community rules here that are specific to O365 that may give you some better guidance and understanding of how to proceed.  

https://github.com/chronicle/detection-rules/tree/main/community/microsoft/o365

 

0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

I would say that Azure AD Audit data is a bit more descriptive in this use case than O365, but you may be able to do some of it with O365. That said, O365 won't tell you the IP address where the MFA enrollment is being initiated from, which is a bit annoying. If possible, I would take a look at the Azure AD audit as well if the lift isn't too great to get it into the system because you will find certain logging events that are just flat out better in the one versus the other.

I hacked this together based on an enrollment of a user, the extracted fields and field/value pairs with old and new value can be handy for this. I left some examples in around the method types. Depending on your use case, regex for the old and new values can be adjusted to get what you are looking for. Here are some key method types to reference.

  • PhoneAppNotification=0
  • PhoneAppOTP=6
  • OneWaySMS=7
  • TwoWayVoiceOffice=5
  • TwoWayVoiceMobile=2

 

rule o365_mfa_enrollment {

  meta:
    author = "Google Cloud Security"
    severity = "Medium"

  events:
    $user.metadata.event_type = "USER_UNCATEGORIZED"
    $user.metadata.product_event_type = "Update user."
    $user.metadata.product_name = "Office 365"
    $user.metadata.vendor_name = "Microsoft"
    $user.security_result.action = "ALLOW"
    $user.security_result.detection_fields["Included Updated Properties"] = "StrongAuthenticationMethod"
    $user.extracted.fields["ModifiedProperties[0].NewValue"] = /\"MethodType\": 6/
    $user.extracted.fields["ModifiedProperties[0].OldValue"] = "[]"
    /* Example values
    extracted.fields["ModifiedProperties[0].NewValue"] = "[\r\n  {\r\n    \"MethodType\": 6,\r\n    \"Default\": true\r\n  },\r\n  {\r\n    \"MethodType\": 7,\r\n    \"Default\": false\r\n  }\r\n]"
    extracted.fields["ModifiedProperties[0].OldValue"] = "[]"
    */
    $user.extracted.fields["ModifiedProperties[1].Name"] = "Included Updated Properties"
    $user.extracted.fields["ModifiedProperties[1].NewValue"] = "StrongAuthenticationMethod"
    $user.extracted.fields["ModifiedProperties[1].OldValue"] = ""

  outcome:
    $tenant = array_distinct($user.principal.resource.product_object_id)
    $user_updated =  array_distinct($user.target.user.userid)
    $risk_score = 0

  condition:
    $user
}