Is there anyway of identifying what events in the Security and Compliance Audit log are linked to the same user session. For instance a number of events list the global microsoft service's ip address instead of the source users address. So I am looking for a way of distinguish which events may belong to two or more users logged on tothe same account with the same credentials at the same time.
Also is there any definition of when a sign-on event is triggered for an account. For instance I have had accounts compromised where an attacker has generated 50+ logon events. What sort of actions would an attacker do that would trigger reauthentication events.
Vasil, thanks for your response, i tend to look at all logs, as different logs capture different data. As stated above my issue is that when i have an attacker on at the sametime as a user and i have events that a user triggered through a Microsoft addresses that I can identify which source ip or user session was responsible. I am trying to find out if anywhere in all of this logging there is anything resembling a sessions key that links each user session together. so that if i log on from two different devices that have the same browser that i can see what actions each session did.