Hello All,
I've noticed what I believe to be a bug between the splunk_ta_o365. I wanted to point it out or see if I am missing something here.
I have many events in office o365 which looks similar to this (It is confusing, but this user did NOT login):
Raw Logs:
Workload=AzureActiveDirectory
Operation=UserLoggedIn
ResultStatus=Succeeded
LogonError=UserAccountNotFound
The "Splunk Add-on for Microsoft Office 365" the following lookup: "splunk_ta_o365_cim_authentication.csv"
which compares the Workload, Operation, and ResultStatus fields - it does not consider LogonError. It OUTPUTs the following new fields:
dataset_name=authentication
action=success
The splunk_ta_o365 includes:
tag=authentication for "dataset_name=authentication"
Now the Authentication.Successful_Authentication (looks for tag=authentication action="success") data model incorrectly tells you a user has logged in when in fact, they failed because there was "UserAccountNotFound"
Using Splunk 8+, Splunk_SA_CIM 4.15.0, splunk_ta_o365 2.0.1
This issue has been addressed in the below bug:
Hi @_joe , wanted to ask if you ever found a solution for this or were you able to find these successful or failed logins that Splunk reported in your O365 portal?