Home

Audit Log changes

Highlighted
Patrick Taft
New Contributor

Like many users, we had IP ranges in Nigeria  trying to crack user passwords, and this was showing up in the Audit Logs as "UserLoginFailed"  now this seems to have disappeared completely.  I tried from the OWA on my account until it locked me out, and nothing showed up in the audit at all.  I tried to search the community for this, but nothing came back,..  has anyone had this experience?

7 Replies
Highlighted

I can see them just fine in the SCC. There's no pre-built filter for "failed login" events though, so you have to get the full list and sort/filter it in Excel or similar.

Highlighted

Yes, agreed,. but I was seeing a lot when I filtered,. now literally zero.  just seems strange that they stopped trying to access accounts.  I was concerned that something changed and just not seeing it now. I was getting UserLoggedIn and UserLoginFailed entries.   Thank You

Highlighted

I have the CSV that I had pulled on 3/22, a 24 hour log,. 50,000 entries.  of that there are 3564 UserLoggedIn entries and 492 UserLoginFailed entries.  I pulled a log on 5/10 15 hours, 33k entries, not a single UserLoggedin or UserLoginFailed entry.

Highlighted

Well if you don't even see UserLoggedin event, that calls for a support case...

Highlighted

I'm not sure if it's related but we're having issues with the Office 365 Management API, which contains the same logs as the Unified Audit Log. 

The logs are coming in with empty Operation and ResultStatus fields, meaning our alerting engine isn't able to notify us for bulk failed, or successful logins from suspicious IPs.

To get these complete logs, I've had to run Search-UnifiedAuditLog, where the Operation and ResultStatus field is present for the same logs. Edit: I just retested this, and it seems that the data isn't there either. We haven't received any ResultStatus or Operation info since the 2nd of May for any of our customers.

 

I'll log it as a separate post, but there may be some issues with the service lately.

Highlighted

That one definitely calls for a support ticket.

Highlighted
Yep I've just logged one, I'll update with how it goes
Related Conversations
Ignore bucket based on offset
Scott Allison in Azure Log Analytics on
2 Replies
Some of the latest Edge Canary changes
HotCakeX in Discussions on
0 Replies
What's new in Edge insider Canary Version 79.0.284
HotCakeX in Discussions on
20 Replies
enable mailbox auditing for all mailbox
damnit95 in Office 365 on
1 Replies