Microsoft 365 – Audit Log Search – UserLoginFailed

M365 Admin Portal > “Security & Compliance” > “Search”>”Audit log search” Learn more about searching the audit log

https://protection.office.com/unifiedauditlog

Audit log search, a great place to start regularly checking for unauthorised User Login Failed attempts. This example shows multiple attempts to login from various locations. None physically possible from this user based in the UK. We suspect there has been a breach where this email address / user name was previously registered. Thankfully, this is now only an Alias used these days on a domain we imported into the tenancy. In addition, we have features like MFA, and failed login attempt setting configured on all users.

There are no more than two attempts tried at each IP address logged. So we have avoided a user account being compromised by using a mix of, basic security login attempt policies, MFA enabled and an Alias.

Where can we see Failed login attempts

Audit Log Search


Audit Log Search > Set Activities / Dates > Search

Next apply a filter

Click >Filter Results> “Activity” = “UserLoginFailed”

After identifying the IP – Next Step, check the IPs out. https://whois.domaintools.com

A quick check on the details confirm it was not possible for one of our live users to be in the locations at the time of the failed logins and the IP addresses also weren’t blacklisted.

“78.140.7.9” – Russia

“203.147.83.159” – New Caledonia

“119.160.136.138” – Brunei

One attempt maybe just a one-off end user error, but multiple attempts and various locations something has been compromised. I would certainly suggest a quick change of password and recreate and App Passwords in use.

Check if the accounts have been pwned. A quick check to see if the account has be pwned https://haveibeenpwned.com/

In this case the account has previously had information “email address” & “Password” compromised.



Now going back to the IP address’s

This example located in Australia. Not blacklisted.

So what are the next options suggestions?

  • Conditional Access
  • Disable Basic Authentication

We could look at Conditional Access and block locations. However, that doesn’t block basic authentication (from my research, maybe wrong info).

So to help block any brute force basic authentication attempts, we could disable basic authentication, but is there any challenges? So before a blanket disable basic auth, legacy applications would need to be upgraded before disabling basic authentication. NoteBlocking Basic authentication will block app passwords in Exchange Online. For more information about app passwords, see Create an app password for Office 365.”.


 

List Computer Object in an Active Directory OU using PowerShell

How to get a list of computer objects in an active directory OU ( tested against Windows 2016 Active Directory )

A quick PowerShell script using Get-ADComputer  command, a wild card filter and a search base pointing to a specific OU

 

First import modules for active directory in powershell

 

Copy and edit the script below:

## cmd

## dsquery computer -name servername (server name in the OU to get the OU path)

#Example lists domain controller in test.com

#Export list of names to CSV

Get-ADComputer -Filter * -SearchBase “OU=Domain Controllers,DC=test,DC=com” | Select Name | export-csv C:\temp\DCs.csv

 

( Like the post click and advert of interest to give us support)