Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Azure User Reported Fraud #3449

Open
willemdh opened this issue Feb 17, 2024 · 1 comment
Open

[New Rule] Azure User Reported Fraud #3449

willemdh opened this issue Feb 17, 2024 · 1 comment
Assignees
@terrancedejesus
Labels
backlog community Domain: Cloud Integration: Azure azure related rules Rule: New Proposal for new rule

Comments

@willemdh
Copy link

willemdh commented Feb 17, 2024
edited
Loading

Description

It's good to have an alert when a user reports fraud in the MS Authenticator. We set severity to High.

Required Info

Users can report fraud in the Microsoft Authenticator application.

Target indexes

azure.auditlogs-*

Target Operating Systems

Azure

Platforms

Azure

Tested ECS Version

8.0.0

Optional Info

The user name is in azure.auditlogs.properties.initiated_by.user.userPrincipalName. It would be nice if this could be copied to user.name and related.users in the Azure Logs integraton.

Query

event.dataset: azure.auditlogs AND event.action: "Fraud reported - user is blocked for MFA"

New fields required in ECS/data sources for this rule?

No

References

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#fraud-alert

Example Data

{"Level":4,"category":"AuditLogs","correlationId":"corlid","durationMs":0,"operationName":"Fraud reported - user is blocked for MFA","operationVersion":"1.0","properties":{"activityDateTime":"2024-02-14T06:44:17.8130902+00:00","activityDisplayName":"Fraud reported - user is blocked for MFA","additionalDetails":[{"key":"AuthenticationMethod","value":"Mobile app notification"}],"category":"UserManagement","correlationId":"corlid","id":"Azure MFA_corlid_CHARS","initiatedBy":{"user":{"displayName":null,"id":"userid","ipAddress":"","roles":[],"userPrincipalName":"user.email@domain.tld"}},"loggedByService":"Azure MFA","operationType":"","result":"success","resultReason":"Successfully reported fraud","targetResources":[{"administrativeUnits":[],"displayName":null,"id":"userid","modifiedProperties":[],"type":"User","userPrincipalName":"user.email@domain.tld"}],"userAgent":null},"resourceId":"/tenants/tenantId/providers/Microsoft.aadiam","resultDescription":"Successfully reported fraud","resultSignature":"None","tenantId":"tenenatid","time":"2024-02-14T06:44:17.8130902Z"}
@willemdh willemdh added the Rule: New Proposal for new rule label Feb 17, 2024
@botelastic
Copy link

botelastic bot commented Apr 17, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Apr 17, 2024
@Mikaayenson Mikaayenson added backlog Area: RAD and removed stale 60 days of inactivity labels Apr 17, 2024
@terrancedejesus terrancedejesus self-assigned this Jun 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@terrancedejesus terrancedejesus

Labels
backlog community Domain: Cloud Integration: Azure azure related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Mikaayenson @willemdh @terrancedejesus