Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Visualize Multi-Factor Authentication Logs with Oracle Cloud Infrastructure Logging Analytics

Introduction

In today’s digital landscape, ensuring the security of your cloud infrastructure is paramount. Multi-Factor Authentication (MFA) is a critical component of this security, providing an additional layer of protection for user accounts. However, implementing MFA is just the beginning. To truly safeguard your systems, you need to continuously monitor and analyze MFA logs to detect any anomalies or potential security threats.

Oracle Cloud Infrastructure (OCI) Logging Analytics for OCI Audit allows you to efficiently collect, analyze, and visualize audit logs, ensuring compliance and enhancing security monitoring. By leveraging powerful analytics, you can detect anomalies and gain insights into user activities within your OCI environment.

In this tutorial, we will delve into the intricacies of analyzing MFA logs within OCI Audit logs using OCI Logging Analytics. Whether you are a security professional, system administrator, or cloud architect, this tutorial will equip you with the knowledge and tools needed to effectively monitor and interpret MFA logs.

Objectives

• Extract extended fields in OCI Logging Analytics for specific MFA information from OCI Audit logs and set up visual dashboards for business and security purposes. We will download a dashboard containing widgets which has built in search queries that display the different multi authentication factors used to log in to the OCI Console, ensuring visibility into any security threats with MFA and complying users to follow industry standards.

  Note: Dashboard is effective only if MFA is configured and performed through Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) as the identity provider (IdP). If you use another IdP, ensure that MFA events are logged on that respective IdP tool.

Prerequisites

• Required admin access to an OCI tenancy as most of the resources are created in the root compartment.

• Basic knowledge of OCI Logging Analytics.

• Enable OCI Logging Analytics and configure OCI Audit log collection. For more information, see Analyze Sample Logs with OCI Logging Analytics.

Visualize Multi-Factor Authentication Logs

1. Log in to the OCI Console, navigate to Observability and Management, Logging Analytics, Administration, Sources, OCI Audit Logs and click Edit.

   

2. In the Edit Source page, create three Extended Fields. Test each definition and the Status should indicate Success, as shown in the following screenshots. After testing, click Save.

   1. First extended field.

      • Base Field: Select Original Log Content.

      • Example Base Field: Enter \"ssoAuthFactor\":\"TOTP\".

      • Extract Expression: Enter \\"ssoAuthFactor\\":\\"{User Authentication Method:\w+}.

        

   2. Second extended field.

      • Base Field: Select Original Log Content.

      • Example Base Field: Enter \"ssoMatchedSignOnRule\":\"OciConsoleMFANonAdminRule\".

      • Extract Expression: Enter \\"ssoMatchedSignOnRule\\":\\"{Rule:\w+}.

        

   3. Third extended field.

      • Base Field: Select Original Log Content.

      • Example Base Field: Enter \"ssoMatchedSignOnPolicyName\":\"Security Policy for OCI Console\".

      • Extract Expression: Enter \\"ssoMatchedSignOnPolicyName\\":\\"{User Authentication Policy:[^\"\,]+}\\"?.

        

3. (Optional) Once the user logs in to the OCI Console, the respective fields created will populate in the Log Explorer page.

   

4. Download the zip file from here: OCI-MFA-Dashboard-main.zip which contains the dashboard in json file. This file will be used to import it in OCI Logging Analytics.

   

5. In the Import dashboards window, select Specify a compartment and root compartment for both Compartments for dashboards.

   

6. The data will be populated on the dashboard based on the available search queries in each widget. Refer the widgets in the sample dashboard as per the following screenshots.

   

   

Next Steps

In this tutorial, we have covered how to easily set up visualization of Multi-Factor Authentication (MFA) logs using OCI Logging Analytics. You have learned how to extract extended fields for MFA-specific information and set up visual dashboards to monitor authentication activities. By following these steps, you can enhance your security posture and ensure compliance with industry standards. It is important to continuously monitor to detect and address potential security threats.

Acknowledgments

• Author - Vishak Chittuvalapil (Senior Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Visualize Multi-Factor Authentication Logs with Oracle Cloud Infrastructure Logging Analytics

G10603-01

June 2024

Copyright ©2024,

Oracle and/or its affiliates.