Show Office 365 Authentication type per user in Wazuh

[M.]

Hi there,

I recently installed Wazuh (all-in-one) installation as I wanted to get familiar with it and use it to monitor small infrastructure  - about 10 endpoints, 2 FortiGate firewalls and single Office 365 tenancy. 

I followed this guide to configure the integration and it seems to work as I can see 365 events reaching our Wazuh manager. The plan is to use Wazuh to show if the users are using MFA when authenticate or not. This information is shown in Azure under user's Sign-in logs section, as per the attached screenshot (all sensitive information is purposely hidden).

How can I visualize office 365 authentication type in Wazuh? I cannot see this data present on the logs from 365. Example log is also attached.

I will appreciate if someone can help me with this.

Regards

[Nahuel Figueroa]

Hi! I was investigating and there doesn't seem to be any log that says information about the authentication method, however you can configure the Azure AD integration with Wazuh to capture logs related to authentication and view the authentication method used. Something else that may help is perhaps using the Office 365 API to access detailed information about authentication events. You can develop a script or application to interact with this API and then send the captured data to Wazuh for analysis.

[M.]

HI Nahuel and thanks for your reply.

I already have an integration with Azure and logs are sent to Wazuh manager.  

Could you please expand on " however you can configure the Azure AD integration with Wazuh to capture logs related to authentication and view the authentication method used" part from your reply. Do you mean there is some additional configuration which I am missing, hence cannot see authentication type related logs?

I will appreciate if you send over any knowledgebase describing the configuration process.

Thanks in advance.

M.

[Nahuel Figueroa]

Hi! Did you follow this guide in the documentation? https://documentation.wazuh.com/current/cloud-security/azure/posture-management.html#integrating-wazuh-with-microsoft-azure

[M.]

Hi Nahuel and sorry for the late reply.

I did not follow the documentation you suggested (https://documentation.wazuh.com/current/cloud-security/azure/posture-management.html#integrating-wazuh-with-microsoft-azure) as it requires Azure subscription and respectively cost to use Azure Logs Analytics Workspace. 

The documentation I followed is https://documentation.wazuh.com/current/cloud-security/office365/monitoring-office365-activity.html

Can anyone tell if they managed to get Entra ID user's authentication type without any extra cost paid to Microsoft. The tenant I am testing with is on Entra ID free licence.

Thanks