How to enable logging of failed MFA attempts from Office365
130 views
Skip to first unread message
ekta dhussa
Nov 3, 2022, 5:27:02 AM11/3/22
to Wazuh mailing list
Hi Team,
How to enable logging of failed MFA attempts from Office365
Regards,
Ekta
Delfina Lizarralde Bressan
Nov 3, 2022, 4:19:17 PM11/3/22
to Wazuh mailing list
If I understood correctly what you want is a rule that creates an event when there is a failed login to an Office 365 account.
If that's the case, this rule should work:
<group name="office365">
<rule id="110102" level=x>
<if_matched_sid>91545</if_matched_sid>
<match>UserLoginFailed</match>
<description>Many user login attempts failed</description>
</rule>
</group>
Hope this helps.
Regards.
OZGURCE
Nov 11, 2022, 12:43:07 PM11/11/22
to Wazuh mailing list
Hello Delfina,
I guess Ektad wanted to ask how can capture MFA events (Success or Fail) in Login Logs with Wazuh.
I've looked at the Login events but these events don't provide authentication details. For example; Single-factor authentication, MFA, Password Hash, etc.
I've looked at the Login events but these events don't provide authentication details. For example; Single-factor authentication, MFA, Password Hash, etc.
Office 365 Management APIs may not provide these events.
Regards.
3 Kasım 2022 Perşembe tarihinde saat 23:19:17 UTC+3 itibarıyla delfina.l...@wazuh.com şunları yazdı:
Reply all
Reply to author
Forward
0 new messages