[New Rule] Azure User Reported Fraud

Description

It's good to have an alert when a user reports fraud in the MS Authenticator. We set severity to High.

Required Info

Users can report fraud in the Microsoft Authenticator application.

Target indexes

azure.auditlogs-*

Target Operating Systems

Azure

Platforms

Azure

Tested ECS Version

8.0.0

Optional Info

The user name is in azure.auditlogs.properties.initiated_by.user.userPrincipalName. It would be nice if this could be copied to user.name and related.users in the Azure Logs integraton.

Query

event.dataset: azure.auditlogs AND event.action: "Fraud reported - user is blocked for MFA"

New fields required in ECS/data sources for this rule?

References

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#fraud-alert

Example Data

{"Level":4,"category":"AuditLogs","correlationId":"corlid","durationMs":0,"operationName":"Fraud reported - user is blocked for MFA","operationVersion":"1.0","properties":{"activityDateTime":"2024-02-14T06:44:17.8130902+00:00","activityDisplayName":"Fraud reported - user is blocked for MFA","additionalDetails":[{"key":"AuthenticationMethod","value":"Mobile app notification"}],"category":"UserManagement","correlationId":"corlid","id":"Azure MFA_corlid_CHARS","initiatedBy":{"user":{"displayName":null,"id":"userid","ipAddress":"","roles":[],"userPrincipalName":"user.email@domain.tld"}},"loggedByService":"Azure MFA","operationType":"","result":"success","resultReason":"Successfully reported fraud","targetResources":[{"administrativeUnits":[],"displayName":null,"id":"userid","modifiedProperties":[],"type":"User","userPrincipalName":"user.email@domain.tld"}],"userAgent":null},"resourceId":"/tenants/tenantId/providers/Microsoft.aadiam","resultDescription":"Successfully reported fraud","resultSignature":"None","tenantId":"tenenatid","time":"2024-02-14T06:44:17.8130902Z"}

elastic / detection-rules