Skip to main content

I wonder if there is any way Google SEIM generates an alert for the users who successfully login bypassing or without MFA?

Are you referring to folks logging into GSO or other resources? 


Hi @tony_shek, following up on your post. Were you able to find an answer? 


Depending on your underlying log source and the mapping of values within your parser, Google Chronicle can enrich this data. Alternatively via understanding the log source and their event types.

For example, OKTA have some great documented event types, identifiable here (EXTERNAL RESOURCE ->  https://developer.okta.com/docs/reference/api/event-types) for example, utilising the event type 'user.mfa.attempt_bypass' indicates an attempt of bypassing multi-factor authentication. This would be a solution to identify potential MFA bypass, reliant on the event type's accuracy.

Within OKTA, a good solution to potentially identify users who do not have MFA enabled via logs (without Admin access to okta), is to look for the event type of a user login, with no indication of any MFA/SSO-related event types generated thereafter. If this is difficult to identify, then testing this can help craft a rule to look for this. As well as this great article by OKTA (EXTERNAL RESOURCE -> https://sec.okta.com/articles/2023/02/user-sign-and-recovery-events-okta-system-log#mfa).

Hope this helps!


Reply