In addition to Caroline’s response, wanted to confirm that when you’re using Active Directory, that’s showing the alerts coming through Azure ATP as Azure ATP alerts are filtered using the application filter to Active Directory. You’re trying to find Azure ATP detected logins?

@SergioT1228 

@Sarahzin_Shane @Caroline_Lee 

Thank you both for your reply.

Our ultimate goal is to replace our current 3rd party tool with CASB to secure our user Identity concerns.

We are trying to get a weekly report for Failed Logons and locked accounts.  As ATP is setup on all our DC's, we are looking for Failed logon from AD as well as local accounts on workgroup servers if possible.  As I look through the report, it would be great to see the username that was utilized along with the reason it failed.  it appears sometimes it has an account name but not always the username.  I'm working with Advanced Hunting to see if there is anything there I can use to help supplement our reporting needs. 

My current action items from our team:

Schedule weekly report - Failed logon attempts

Schedule weekly report - Locked accounts for the week

Again, Thank you for your time.

Cheers,

@Sarahzin_Shane @Caroline_Lee 

Thank you both for your reply.