Successful login - parse for Azure MFA?

David Caddick · ‎Jul 01 2019

We currently have a policy checking for "Successful login from outside Australia".

This was working fine until we added the Azure ATP integration - then started seeing lot's of reports from "Internal IP" address's in the 10.x.x.x range - this has largely been resolved by adding these IP Address ranges in the list of IP Address's and enabling the "Override" for location and setting that to Australia.

However, as this customer now enables Azure MFA for any/all Users needing/wanting access from outside Australia this has now made the Policy/Alert somewhat redundant - Question: Is it possible to take this current Alert and have it figure out if CA and MFA have been applied? *IF* Applied correctly - no Alert, *IF* NOT Applied then raise a High Level incident/Alert.

Is this possible? It looks like it might need to head to Flow to find out?
Or is this somethign that can be driven by Sentinel?

Is there any other easier way of achieving this?

David Caddick · ‎Jul 04 2019

Hi @David Caddick ,

Thanks for contacting us. Instead of adding the internal IP list, you could exclude "Active Directory" (Azure ATP) from the app list in your activity policy.

To answer your question, this is not possible at the moment but we are looking at providing visibility on the MFA status during a logon. We are still researching but this could indeed be a great scenario!

Thanks

David Caddick · ‎Jul 04 2019

Thanks @Sebastien Molendijk

Can it not be achieved via Flow possibly?

But it would be great if you could possibly pull in CA rules and MFA success - but then I guess this might also be able to be achived in Azure Sentinel.

I really like the rich context that comes thru on the MCAS, but it seems that MS is missing a few items?

Enabling Azure MFA is good, but it also happens so infrequently (to the User) cause of the 14/30 day "remember" that I can't help feeling like I need a check and balance on that - User logged in from overseas/non-trusted location & was NOT MFA'd?
Where is the details regarding Legacy vs. Modern Auth? Critical to helping customers understand it's bad...
I can see in Sentinel that we have to effectively "build a function" almost to identify it - it shouldnt be this hard
I can see bad password attempts from CN, BR, etc... but there is no clear way of "actioning" this to help bolster security?
Even when you see an IP address used consistently in password spray - it's not possible to pivot on action item & "add this IP address to Blacklist"?

David Caddick · ‎Jul 07 2019

@Sebastien Molendijk just wondering if you might have anyone attending the RSA Conference in Singapore from the 15th-18th July? Keen to have a deeper conversation if there are any MCAS folks there?

David Caddick · ‎Jul 04 2019

Hi @David Caddick ,

Thanks for contacting us. Instead of adding the internal IP list, you could exclude "Active Directory" (Azure ATP) from the app list in your activity policy.

To answer your question, this is not possible at the moment but we are looking at providing visibility on the MFA status during a logon. We are still researching but this could indeed be a great scenario!

Thanks

View solution in original post

Successful login - parse for Azure MFA?

Successful login - parse for Azure MFA?

Re: Successful login - parse for Azure MFA?

Re: Successful login - parse for Azure MFA?

Re: Successful login - parse for Azure MFA?

Re: Successful login - parse for Azure MFA?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Successful login - parse for Azure MFA?