O365 authentication details shows up after 2 hr in kibana

niveditakathal · May 18, 2022, 12:18pm

Hi Experts,

I added the O365 integration in elastic 8.2 with all default Content types enabled to monitor the successful/failure login details ; However when I was testing the possible test cases, I noticed that If I login to O365 with invalid login details, then it reflected after 2 hr in elastic.

Test case with output -

Add filters - data_stream.dataset: o365.audit with last 15 min => returns hits / data
Add filter - data_stream.dataset: o365.audit , event.category: authentication with last 15 min => returns no hits / no data
Add filter - data_stream.dataset: o365.audit , event.category: authentication with last 2 hours => returns hits / data

Can someone please assist me on , how I can get the invalid login details at the real time ?

Thanks in advance !
Regards,
Nivedita

legoguy1000 · May 18, 2022, 12:27pm

The only thing I can think of is ur time/timezone is off on ur computer/browser. Is the timestamp on the event correct?

niveditakathal · May 18, 2022, 12:47pm

Thanks for the reply.
Timestamp on the event is correct. (i.e if I login with wrong credentials at 10:45 AM , then after 2 hours, I can see an event in elastic with timestamp as 10:45 with UserLoginFailed).

system · June 15, 2022, 12:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.