Skip to content

Stephen Hackers Blog

Infrastructure & Cyber Security Technical Architect

  • Home
  • Stephen Hackers

Tag UserLoginFailed

  • Home
  • Microsoft 365 – Audit Log Search – UserLoginFailed
03/06/2020

Microsoft 365 – Audit Log Search – UserLoginFailed

By Steve in2FA, MFA, Cloud & Datacenter Management, Cloud Security, Cyber Security, Dark Web, Enterprise Security, Enterprise Security, Exchange, Microsoft, Office 365, Office Apps & Services, Security & Compliance, Security & Compliance Tag Activity, Audit Log, CyberSecurity, Email, Filter, M365, Pwned, RaisingAwareness, Search, Security, User Login Failed, UserLoginFailed, Whois

M365 Admin Portal > “Security & Compliance” > “Search”>”Audit log search” Learn more about searching the audit log

https://protection.office.com/unifiedauditlog

Audit log search, a great place to start regularly checking for unauthorised User Login Failed attempts. This example shows multiple attempts to login from various locations. None physically possible from this user based in the UK. We suspect there has been a breach where this email address / user name was previously registered. Thankfully, this is now only an Alias used these days on a domain we imported into the tenancy. In addition, we have features like MFA, and failed login attempt setting configured on all users.

There are no more than two attempts tried at each IP address logged. So we have avoided a user account being compromised by using a mix of, basic security login attempt policies, MFA enabled and an Alias.

Where can we see Failed login attempts

Audit Log Search


Audit Log Search > Set Activities / Dates > Search

Next apply a filter

Click >Filter Results> “Activity” = “UserLoginFailed”

After identifying the IP – Next Step, check the IPs out. https://whois.domaintools.com

A quick check on the details confirm it was not possible for one of our live users to be in the locations at the time of the failed logins and the IP addresses also weren’t blacklisted.

“78.140.7.9” – Russia

“203.147.83.159” – New Caledonia

“119.160.136.138” – Brunei

One attempt maybe just a one-off end user error, but multiple attempts and various locations something has been compromised. I would certainly suggest a quick change of password and recreate and App Passwords in use.

Check if the accounts have been pwned. A quick check to see if the account has be pwned https://haveibeenpwned.com/

In this case the account has previously had information “email address” & “Password” compromised.



Now going back to the IP address’s

This example located in Australia. Not blacklisted.

So what are the next options suggestions?

  • Conditional Access
  • Disable Basic Authentication

We could look at Conditional Access and block locations. However, that doesn’t block basic authentication (from my research, maybe wrong info).

So to help block any brute force basic authentication attempts, we could disable basic authentication, but is there any challenges? So before a blanket disable basic auth, legacy applications would need to be upgraded before disabling basic authentication. Note “Blocking Basic authentication will block app passwords in Exchange Online. For more information about app passwords, see Create an app password for Office 365.”.


 

Recent Posts

  • PowerCLI with a GUI – Clone a machine, add DHCP…
  • New Course & Exam Announcements in October
  • Exam PASSED – Managing Microsoft Teams MS700
  • VMware Horizon and Zero Clients Enabling Rapid…
  • VMware Horizon and Zero Clients Enabling Rapid Remote Secure IT Working
  • vSphere 7 with Kubernetes – Getting Started Guide
  • Security Is a Hugely Strategic Area For VMware:…
  • VMworld 2020 registration is now open!
  • Microsoft Azure Security – Study Notes
  • MS365 – Azure AD – Dynamic Groups and Expiration Settings
  • Office 365 Security and Compliance – Alert When A Specific File Is Accessed
  • Content Search – Security And Compliance – Search A Mailbox For Specific Content And Then Export Results
  • MS 365 Compliance Admin Portal Error – Status code: 503
  • MS-101: Microsoft 365 Mobility and Security – EXAM PASSED!!!
  • Microsoft 365 – Audit Log Search – UserLoginFailed

Categories

VMware vExpert Security 2020

Microsoft Certified Azure Security Engineer Associate

VMware vExpert (5 years)

Certified Ethical Hacker

Microsoft Certified Azure Administrator Associate

VMware vExpert 2020

MCP 365 Mobility and Security

Symantec Certified Specialist

MCP 365 Identity and Services