cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Audit Log changes

Patrick Taft
Copper Contributor

‎May 10 2018 01:42 PM - last edited on ‎Feb 09 2023 02:43 PM by

‎May 10 2018 01:42 PM - last edited on ‎Feb 09 2023 02:43 PM by

Audit Log changes

Like many users, we had IP ranges in Nigeria  trying to crack user passwords, and this was showing up in the Audit Logs as "UserLoginFailed"  now this seems to have disappeared completely.  I tried from the OWA on my account until it locked me out, and nothing showed up in the audit at all.  I tried to search the community for this, but nothing came back,..  has anyone had this experience?

Labels:
2,238 Views
0 Likes
7 Replies
Reply
7 Replies
Vasil Michev

‎May 10 2018 11:45 PM

‎May 10 2018 11:45 PM

Re: Audit Log changes

I can see them just fine in the SCC. There's no pre-built filter for "failed login" events though, so you have to get the full list and sort/filter it in Excel or similar.

1 Like
Reply
Patrick Taft

‎May 11 2018 05:29 AM

‎May 11 2018 05:29 AM

Re: Audit Log changes

Yes, agreed,. but I was seeing a lot when I filtered,. now literally zero.  just seems strange that they stopped trying to access accounts.  I was concerned that something changed and just not seeing it now. I was getting UserLoggedIn and UserLoginFailed entries.   Thank You

0 Likes
Reply
Patrick Taft

‎May 11 2018 07:00 AM

‎May 11 2018 07:00 AM

Re: Audit Log changes

I have the CSV that I had pulled on 3/22, a 24 hour log,. 50,000 entries.  of that there are 3564 UserLoggedIn entries and 492 UserLoginFailed entries.  I pulled a log on 5/10 15 hours, 33k entries, not a single UserLoggedin or UserLoginFailed entry.

1 Like
Reply
Vasil Michev

‎May 11 2018 09:40 AM

‎May 11 2018 09:40 AM

Re: Audit Log changes

Well if you don't even see UserLoggedin event, that calls for a support case...

0 Likes
Reply
Elliot Munro

‎May 14 2018 03:12 PM - edited ‎May 14 2018 04:32 PM

‎May 14 2018 03:12 PM - edited ‎May 14 2018 04:32 PM

Re: Audit Log changes

I'm not sure if it's related but we're having issues with the Office 365 Management API, which contains the same logs as the Unified Audit Log. 

The logs are coming in with empty Operation and ResultStatus fields, meaning our alerting engine isn't able to notify us for bulk failed, or successful logins from suspicious IPs.

To get these complete logs, I've had to run Search-UnifiedAuditLog, where the Operation and ResultStatus field is present for the same logs. Edit: I just retested this, and it seems that the data isn't there either. We haven't received any ResultStatus or Operation info since the 2nd of May for any of our customers.

 

I'll log it as a separate post, but there may be some issues with the service lately.

0 Likes
Reply
Vasil Michev

‎May 14 2018 11:06 PM

‎May 14 2018 11:06 PM

Re: Audit Log changes

That one definitely calls for a support ticket.

0 Likes
Reply
Elliot Munro

‎May 14 2018 11:41 PM

‎May 14 2018 11:41 PM

Re: Audit Log changes

Yep I've just logged one, I'll update with how it goes
0 Likes
Reply