Office365 Signin Logs event.outcome seems incorrect sometimes


(Elastic 7.9.2)

We noticed something weird in the Office365 Signin logs. This a screenshot from the Azure Portal itself:

As you can see the user had 1 failed login followed by a successful login. In the o365 signin logs indexed by Filebeat however I cannot find any field indicating that the second event was successful (or I'm missing something)

event.outcome for all events around that time is failure. This seems like a bug? The only field I found which seems to indicate the failure versus the signin successes is the azure.signinlogs.result_type, which seems to be 0 when successful.




This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.