We noticed something weird in the Office365 Signin logs. This a screenshot from the Azure Portal itself:
As you can see the user had 1 failed login followed by a successful login. In the o365 signin logs indexed by Filebeat however I cannot find any field indicating that the second event was successful (or I'm missing something)
event.outcome for all events around that time is failure. This seems like a bug? The only field I found which seems to indicate the failure versus the signin successes is the
azure.signinlogs.result_type, which seems to be 0 when successful.