Like many users, we had IP ranges in Nigeria trying to crack user passwords, and this was showing up in the Audit Logs as "UserLoginFailed" now this seems to have disappeared completely. I tried from the OWA on my account until it locked me out, and nothing showed up in the audit at all. I tried to search the community for this, but nothing came back,.. has anyone had this experience?
Yes, agreed,. but I was seeing a lot when I filtered,. now literally zero. just seems strange that they stopped trying to access accounts. I was concerned that something changed and just not seeing it now. I was getting UserLoggedIn and UserLoginFailed entries. Thank You
I have the CSV that I had pulled on 3/22, a 24 hour log,. 50,000 entries. of that there are 3564 UserLoggedIn entries and 492 UserLoginFailed entries. I pulled a log on 5/10 15 hours, 33k entries, not a single UserLoggedin or UserLoginFailed entry.
I'm not sure if it's related but we're having issues with the Office 365 Management API, which contains the same logs as the Unified Audit Log.
The logs are coming in with empty Operation and ResultStatus fields, meaning our alerting engine isn't able to notify us for bulk failed, or successful logins from suspicious IPs.
To get these complete logs, I've had to run Search-UnifiedAuditLog, where the Operation and ResultStatus field is present for the same logs. Edit: I just retested this, and it seems that the data isn't there either. We haven't received any ResultStatus or Operation info since the 2nd of May for any of our customers.
I'll log it as a separate post, but there may be some issues with the service lately.