o365 MFA Failure

[robert.craw...@gmail.com]

Is there a rule for when a MFA times out? That should honestly be a level 12 alert, especially is the distance between the two points is large. 

[Jose Camargo]

Hi Robert,

As you can see on the default O365 rules here, there is no specific rule for MFA events. So, in this case, you'll have to create one of your own as explained in this document, using the original log associated with this event.

For this, you'll have to enable the logall_json option on your manager's /var/ossec/etc/ossec.conf file and then restart the manager. After this, you have to search for the log on your manager's /var/ossec/logs/archives/archives.json file, using a search command like this one:

cat /var/ossec/logs/archives/archives.json | grep -i "MFA"

Once you have the corresponding log, you can then use it to create the custom rule. Please remember to disable the logall_json option, as it will consume a lot of disk space.

If you want, you can send us some examples of those logs and we can help you create some basic rules for it.

I'll be awaiting your comments.

Regards,

Jose