I wonder if there is any way Google SEIM generates an alert for the users who successfully login bypassing or without MFA?
Successful login alert without MFA
+14- Bronze 5
Depending on your underlying log source and the mapping of values within your parser, Google Chronicle can enrich this data. Alternatively via understanding the log source and their event types.
For example, OKTA have some great documented event types, identifiable here (EXTERNAL RESOURCE -> https://developer.okta.com/docs/reference/api/event-types) for example, utilising the event type 'user.mfa.attempt_bypass' indicates an attempt of bypassing multi-factor authentication. This would be a solution to identify potential MFA bypass, reliant on the event type's accuracy.
Within OKTA, a good solution to potentially identify users who do not have MFA enabled via logs (without Admin access to okta), is to look for the event type of a user login, with no indication of any MFA/SSO-related event types generated thereafter. If this is difficult to identify, then testing this can help craft a rule to look for this. As well as this great article by OKTA (EXTERNAL RESOURCE -> https://sec.okta.com/articles/2023/02/user-sign-and-recovery-events-okta-system-log#mfa).
Hope this helps!
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.