Hi Experts,
I added the O365 integration in elastic 8.2 with all default Content types enabled to monitor the successful/failure login details ; However when I was testing the possible test cases, I noticed that If I login to O365 with invalid login details, then it reflected after 2 hr in elastic.
Test case with output -
- Add filters - data_stream.dataset: o365.audit with last 15 min => returns hits / data
- Add filter - data_stream.dataset: o365.audit , event.category: authentication with last 15 min => returns no hits / no data
- Add filter - data_stream.dataset: o365.audit , event.category: authentication with last 2 hours => returns hits / data
Can someone please assist me on , how I can get the invalid login details at the real time ?
Thanks in advance !
Regards,
Nivedita