This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 52%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Below is a redacted payload I am viewing in QRadar. Within the payload is a field named "UserAuthenticationMethod" followed by a variable value. In this case it is 16. I am wondering where I can view documentation which shows what these values mean in terms of authentication? Please someone help.
{"CreationTime":"2023-07-19T10:31:42","Id":"ddd5f7e3-932c-4886-843c-1519748f1300","Operation":"UserLoggedIn","OrganizationId":"redacted","RecordType":15,"ResultStatus":"Success","UserKey":"redacted","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"redacted","ObjectId":"00000002-0000-0000-c000-000000000000","UserId":"redacted","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.86"},{"Name":"UserAuthenticationMethod","Value":"16"},{"Name":"RequestType","Value":"Login:login"}],"ModifiedProperties":[],"Actor":[{"ID":"redacted","Type":0},{"ID":"redacted","Type":5}],"ActorContextId":"a72dda32-ee80-4da8-a3ac-ec0e9e41a50a","ActorIpAddress":"62.67.251.130","InterSystemsId":"dc7088bf-5adc-448d-a3df-24f1a6a3a895","IntraSystemId":"ddd5f7e3-932c-4886-843c-1519748f1300","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"a72dda32-ee80-4da8-a3ac-ec0e9e41a50a","ApplicationId":"a93d9727-9989-48a9-ac5a-11702e33732f","DeviceProperties":[{"Name":"Id","Value":"54177c26-b44a-4c71-9f5c-7c20d2c58869"},{"Name":"DisplayName","Value":"BTA-L-PC0Z61DL"},{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Edge"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"TrustType","Value":"0"},{"Name":"SessionId","Value":"9e670809-f72e-4324-a408-ca94e930b13c"}],"ErrorNumber":"0"}
Some of those enum values can be found here: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-authenticationmethod---type-edmint32
Others, you can find in the specific workload's documentation. Yet others are simply not documented publicly, so we can only guess about them...
Thank Vasil! Is there anyway to tell if MFA is enforced for that particular authentication session or would that be found under a different event type?
If you are interested in the finer details, I'd strongly recommend you ditch the sign-in event collection via the old Management activities API and ingest them via the Azure AD endpoints instead. Here's a list of the available options: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-monitoring#diagnostic-settings-configuration
For QRadar, this should be the preferred method: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub