This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 90%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMI%3C/text%3E%3C/svg%3E)
Hi there,
We are sending all Office 365/Azure logs to our SIEM platform, and we would like to visualise the authentication type (single factor/multifactor) and registered MFA method (phone, email, authenticator app, etc) for each user. I am aware that this information can be seen on Microsoft Entra admin center, but we would like to see it in our SIEM for all users and all tenancies we manage. However, we cannot find where this information is located on the logs we receive from Office 365.
I will appreciate if someone explain where can we find the information in the logs, and if not part of the logs, where else can we find it?
I am also attaching screenshots of the details we like to see in the logs.
Regards
M.
What is the SIEM that you are using?
How is your SIEM connected to Entra ID?
Hi Carlos, the SIEM we use is Wazuh, however I do not think that the SIEM vendor make any difference. The issue is that we do not see the authentication type data on the logs received from Office 365. I will also mention that the tenancy is using Entra ID free tier and not P1 or P2.
Having said this, is there a way for us to see the authentication type from Office 365 logs or not?
Wazuh is connected to Office 365 with API. Full documentation here - https://documentation.wazuh.com/current/cloud-security/office365/monitoring-office365-activity.html#setting-up-office-365-for-monitoring
Thanks
M.
Hi there,
It is relevant what the SIEM that you are using is because it will depend on your SIEM whether it can meet your requirements or not.
According to the same documentation you shared, it looks like these logs are out of the scope of your SIEM.
Hope this helps.
If the answer helped you, please accept it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 24%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Hi Carlos,
Would you happen to know if these logs would be in scope for Elastic SIEM?
