Nov 12 2018 06:45 PM
Is there anyway of identifying what events in the Security and Compliance Audit log are linked to the same user session. For instance a number of events list the global microsoft service's ip address instead of the source users address. So I am looking for a way of distinguish which events may belong to two or more users logged on tothe same account with the same credentials at the same time.
Also is there any definition of when a sign-on event is triggered for an account. For instance I have had accounts compromised where an attacker has generated 50+ logon events. What sort of actions would an attacker do that would trigger reauthentication events.
Nov 12 2018 11:01 PM
Apart from filtering out on time/date, not really. You are better off looking at the events in the Azure AD blade though, the ones in the SCC can be outdated and don't expose all the details.
Nov 13 2018 05:33 PM