MFA Logs for SIEM

Oscar Daniel 0 Reputation points
2023-06-13T15:18:48.8233333+00:00

Hi all,

I need to integrate MFA events in Qradar, but I can't find the events in Azure AD or O365

Microsoft Security | Microsoft Authenticator
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Carlos Solís Salazar 18,201 Reputation points MVP Volunteer Moderator
    2023-06-14T11:29:50.4866667+00:00

    Thank you for asking this question on the Microsoft Q&A Platform.

    You can view the Azure AD MFA event logs in your Azure AD portal:

    Screenshot of example Azure Active Directory sign-ins report in the Azure portal

    Blocked User HistoryAzure AD > Security > MFA > Block/unblock usersShows the history of requests to block or unblock users.Usage for on-premises componentsAzure AD > Security > MFA > Activity ReportProvides information on overall usage for MFA Server. NPS extension and AD FS logs for cloud MFA activity are now included in the Sign-in logs, and no longer published on this report.Bypassed User HistoryAzure AD > Security > MFA > One-time bypassProvides a history of MFA Server requests to bypass MFA for a user.Server statusAzure AD > Security > MFA > Server statusDisplays the status of MFA Servers associated with your account.More info: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-reporting

    To send the Azure AD log to your SIEM you'll must Stream Azure Active Directory logs to an Azure event hub

    set up Azure Monitor diagnostics settings to stream Azure Active Directory (Azure AD) logs to an Azure event hub. Use this mechanism to integrate your logs with third-party Security Information and Event Management (SIEM) tools, such as Splunk and QRadar.

    Hope this helps!


    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

    NOTE: To answer you as quickly as possible, please mention me in your reply.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.