topic Re: o365 logins in Security

o365 logins

pacificcreek — Tue, 29 Sep 2020 19:27:30 GMT

We have been using splunk to help monitor compromised email accounts by looking for logins from countries other than the ones we operate in. I know this insn't a foolproof method but it gives us a good start. Last friday our queries stopped working altogether. I suspect that microsoft changed something. Has anyone else run into this and know a fix?

Re: o365 logins

adonio — Fri, 11 May 2018 00:41:14 GMT

although i kinda get what your search is doing, i am not sure what you are asking here exactly.
i do however remember couple times that MS changed items in Azure, or had a short outage (or anticipated one) there was a message from your company ms admin, there is a specific account name for them and message of what they are doing and when. was able to capture it and set alert on it.
maybe this is what you are after?

Re: o365 logins

centrafraserk — Fri, 11 May 2018 01:47:55 GMT

I think you are correct to assume that Microsoft changed something, because I also stopped receiving and user login authentication through the management API last Friday. So did this guy:

https://answers.splunk.com/answers/656188/only-pulling-user-change-logs-and-not-login-attemp.html

If you find an answer to the problem please let me know. It's not your query, its the fact you no longer are receiving that data. I'm going to call support tomorrow and see if I can get some assistance, I encourage you to do the same as it will let them know there is an issue.

Re: o365 logins

markhill1 — Tue, 15 May 2018 02:22:03 GMT

Yep, same here, we stopped getting the results on the 5th May.

Re: o365 logins

MuS — Tue, 15 May 2018 03:06:57 GMT

a quick and dirty google research found me this https://developer.microsoft.com/en-us/graph/docs/concepts/changelog

Maybe you find some hints in the May 2018 changes 😉

cheers, MuS

Re: o365 logins

neades — Fri, 18 May 2018 13:42:15 GMT

I had the same issue:

This is an issue seen across the board, not just for Splunk ingestion, but also for Cloud Access Security Brokers such as Skyhigh Networks.

If you want to solve your issue, place a detailed level B support ticket with Microsoft through the Azure support portal (portal.azure.com).

You will likely see logs come back within 24 hours.

Re: o365 logins

pacificcreek — Fri, 18 May 2018 17:09:33 GMT

The data came back on its own today. We never did open a case with Microsoft but a sister company did. We are now getting the alerts but it just started today. Other individuals we knew to be traveling and logging in 5/17 were not logged.