Office365 Signin Logs event.outcome seems incorrect sometimes

Hello,

(Elastic 7.9.2)

We noticed something weird in the Office365 Signin logs. This a screenshot from the Azure Portal itself:

As you can see the user had 1 failed login followed by a successful login. In the o365 signin logs indexed by Filebeat however I cannot find any field indicating that the second event was successful (or I'm missing something)

event.outcome for all events around that time is failure. This seems like a bug? The only field I found which seems to indicate the failure versus the signin successes is the azure.signinlogs.result_type, which seems to be 0 when successful.

Grtz

Willem

(autoclose-prevention)