kcphilipm
commented
1 year ago Thanks for this post. A quick question for you. Were you able to get MFA statistics pulled from Azure?
Open a-blume opened 1 year ago
kcphilipm
commented
1 year ago Thanks for this post. A quick question for you. Were you able to get MFA statistics pulled from Azure?
a-blume
commented
1 year ago Thanks for this post. A quick question for you. Were you able to get MFA statistics pulled from Azure?
Yes, MFA challenges are included in the signin logs (with status.additionalDetails, status.errorCode, status.failureReason). Not the best example of the response in API docs but format looks like this: https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-1.0&tabs=http
kcphilipm
commented
1 year ago What I am trying to get into my dashboard is the MFA registration statistics that don't seem to be coming across in the Microsoft Azure App for Splunk. The "Accounts without Multi-Factor Authentication panel is not populating. I can see this data in the Azure portal and I assumed this was going to be pulled by the Splunk Add-on for Azure.
Microsoft Data: https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/UserRegistrationDetails
kcphilipm
commented
1 year ago a-blume you can direct contact me if you'd like pmein at jccc.edu
a-blume
commented
1 year ago I looked into the app and to populate the "Accounts without MFA" panel it should be the sourcetype azure:securityCenter:task. We haven't onboarded that data yet ourselves but I believe the input "Azure Security Center Alerts & Tasks" is what you're looking for.
After getting all the Azure AD inputs to work (enterprise environment) I thought I might as well dump my fixes somewhere, in case you think it would be a good idea to improve the add-on/wiki with them. Apologies for wall of text.
1) TA-MS-AAD\appserver\static\js\build\globalConfig.json at line 1421: default value for name should be azure:aad:device, not 86400 2) TA-MS-AAD\appserver\static\js\build\globalConfig.json at line 1421: add defaultValue with value e.g. 86400 missing in this section 3) Add stanza for sourcetype azure:aad:device to props.conf
4) Add stanza for sourcetype azure:aad:identity_protection:risk_detection to props.conf
Sample timestamp: 2023-01-11T05:29:18.0996085Z Maybe add this as microseconds is probably good enough: TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N If so MAX_TIMESTAMP_LOOKAHEAD = 26
5) Add stanza for sourcetype azure:aad:identity_protection:risky_user to props.conf (same time format as risk detection)
6) MAX_TIMESTAMP_LOOKAHEAD missing for add-on logs
7) The Add-on Required Permissions matrix (google sheet) is missing information around the risky_user input/endpoint (role IdentityRiskyUser.Read.All) However the API endpoint is listed on the wiki page https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0
8) Maybe clarify on the wiki that firewall openings will be required towards both these domains for Azure AD inputs. Since most likely a Heavy Forwarder running this won't have any internet access by default in an enterprise environment (it takes some time to figure out by inspecting the python scripts) login.microsoftonline.com TCP/443 graph.microsoft.com TCP/443
Edit: added bullet 9)
9) Minor CIM fix for Authentication and an attempt to map audit logs to Change in props.conf. Might want to add an eventtype and tags for the latter as well.