Hello @PaulPanther, I get two events fully anonymized that I can show. {
"preview": false,
"result": {
"_raw": "{\"id\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"createdDateTime\": \"2023-01-17T10:25:15Z\", \"userDisplayName\": \"FirstName LASTNAME\", \"userPrincipalName\": \"xxxx@xxxxxxxxxxxxxxxx.xxxxxxx.xxx\", \"userId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"appId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"appDisplayName\": \"Windows Sign In\", \"ipAddress\": \"xxx.xxx.xxx.xxx\", \"clientAppUsed\": \"Mobile Apps and Desktop clients\", \"correlationId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"conditionalAccessStatus\": \"notApplied\", \"isInteractive\": true, \"riskDetail\": \"none\", \"riskLevelAggregated\": \"none\", \"riskLevelDuringSignIn\": \"none\", \"riskState\": \"none\", \"riskEventTypes\": [], \"riskEventTypes_v2\": [], \"resourceDisplayName\": \"Windows Azure Active Directory\", \"resourceId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"status\": {\"errorCode\": 0, \"failureReason\": \"Other.\", \"additionalDetails\": null}, \"deviceDetail\": {\"deviceId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"displayName\": \"X-XXXXXX-xxxxxx\", \"operatingSystem\": \"Windows\", \"browser\": \"\", \"isCompliant\": true, \"isManaged\": true, \"trustType\": \"Azure AD joined\"}, \"location\": {\"city\": \"XXXXXXX\", \"state\": \"XXXXXXXX\", \"countryOrRegion\": \"XX\", \"geoCoordinates\": {\"altitude\": null, \"latitude\": XXXXX, \"longitude\": XXXXX}}, \"appliedConditionalAccessPolicies\": []}",
"_time": "2023-01-17T11:35:09.000+0100",
"action": "notApplied",
"app": "Windows Sign In",
"appDisplayName": "Windows Sign In",
"appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"clientAppUsed": "Mobile Apps and Desktop clients",
"conditionalAccessStatus": "notApplied",
"correlationId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"createdDateTime": "2023-01-17T10:25:15Z",
"deviceDetail.browser": "",
"deviceDetail.deviceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"deviceDetail.displayName": "X-XXXXXX-xxxxxx",
"deviceDetail.isCompliant": "true",
"deviceDetail.isManaged": "true",
"deviceDetail.operatingSystem": "Windows",
"deviceDetail.trustType": "Azure AD joined",
"yyyySite": "XXX",
"yyyyZone": "XXX",
"eventtype": [
"o365_graph_api",
"o365_signins"
],
"host": "xxxxxx",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"index": "o365",
"ipAddress": "xxx.xxx.xxx.xxx",
"isInteractive": "true",
"linecount": "1",
"location.city": "XXXXXX",
"location.countryOrRegion": "XX",
"location.geoCoordinates.altitude": "null",
"location.geoCoordinates.latitude": "XXXXXXX",
"location.geoCoordinates.longitude": "XXXXXX",
"location.state": "XXXXXXX",
"punct": "{\"\":_\"----\",_\"\":_\"--::\",_\"\":_\"_\",_\"\":_\"@..\",_\"\":_\"",
"reason": "Other.",
"resourceDisplayName": "Windows Azure Active Directory",
"resourceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "none",
"riskState": "none",
"source": "AuditLogs.SignIns",
"sourcetype": "o365:graph:api",
"splunk_server": "xxxxxx",
"src": "xxx.xxx.xxx.xxx",
"src_ip": "xxx.xxx.xxx.xxx",
"status": "0",
"status.additionalDetails": "null",
"status.errorCode": "0",
"status.failureReason": "Other.",
"tag": "authentication",
"tag::eventtype": "authentication",
"timestamp": "none",
"user": "xxxx@xxxxxxxxxxxxxxxx.xxx",
"userDisplayName": "FirstName LASTNAME",
"userId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"userPrincipalName": "xxxx@xxxxxxxxxxxxxxxx.xxxxxxx.xxx"
}
}
{
"preview": false,
"lastrow": true,
"result": {
"_raw": "{\"id\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"createdDateTime\": \"2023-01-17T09:53:26Z\", \"userDisplayName\": \"FirstName LASTNAME\", \"userPrincipalName\": \"xxxx@xxxxxxxxxxxxxxxx.xxxxxxx.xxx\", \"userId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"appId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"appDisplayName\": \"Windows Sign In\", \"ipAddress\": \"xxx.xxx.xxx.xxx\", \"clientAppUsed\": \"Mobile Apps and Desktop clients\", \"correlationId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"conditionalAccessStatus\": \"notApplied\", \"isInteractive\": true, \"riskDetail\": \"none\", \"riskLevelAggregated\": \"none\", \"riskLevelDuringSignIn\": \"none\", \"riskState\": \"none\", \"riskEventTypes\": [], \"riskEventTypes_v2\": [], \"resourceDisplayName\": \"Windows Azure Active Directory\", \"resourceId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"status\": {\"errorCode\": 50126, \"failureReason\": \"Error validating credentials due to invalid username or password.\", \"additionalDetails\": \"The user didn't enter the right credentials. \\xxxxxxxx's expected to see some number of these errors in your logs due to users making mistakes.\"}, \"deviceDetail\": {\"deviceId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\", \"displayName\": \"X-XXXXXX-xxxxxx\", \"operatingSystem\": \"Windows\", \"browser\": \"\", \"isCompliant\": false, \"isManaged\": true, \"trustType\": \"Azure AD joined\"}, \"location\": {\"city\": \"XXXXX\", \"state\": \"XXXXX\", \"countryOrRegion\": \"XX\", \"geoCoordinates\": {\"altitude\": null, \"latitude\": XXXXX, \"longitude\": XXXXXXX}}, \"appliedConditionalAccessPolicies\": []}",
"_time": "2023-01-17T11:00:12.000+0100",
"action": "notApplied",
"app": "Windows Sign In",
"appDisplayName": "Windows Sign In",
"appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"clientAppUsed": "Mobile Apps and Desktop clients",
"conditionalAccessStatus": "notApplied",
"correlationId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"createdDateTime": "2023-01-17T09:53:26Z",
"deviceDetail.browser": "",
"deviceDetail.deviceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"deviceDetail.displayName": "X-XXXXXX-xxxxxx",
"deviceDetail.isCompliant": "false",
"deviceDetail.isManaged": "true",
"deviceDetail.operatingSystem": "Windows",
"deviceDetail.trustType": "Azure AD joined",
"yyyySite": "XXX",
"yyyyZone": "XXX",
"eventtype": [
"err0r",
"o365_graph_api",
"o365_signins"
],
"host": "xxxxxxxx",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"index": "o365",
"ipAddress": "xxx.xxx.xxx.xxx",
"isInteractive": "true",
"linecount": "1",
"location.city": "Xxxxxx",
"location.countryOrRegion": "XX",
"location.geoCoordinates.altitude": "null",
"location.geoCoordinates.latitude": "XXXXXX",
"location.geoCoordinates.longitude": "XXXXXX",
"location.state": "XXXXXXX",
"punct": "{\"\":_\"----\",_\"\":_\"--::\",_\"\":_\"_\",_\"\":_\"@..\",_\"\":_\"",
"reason": "Error validating credentials due to invalid username or password.",
"resourceDisplayName": "Windows Azure Active Directory",
"resourceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "none",
"riskState": "none",
"source": "AuditLogs.SignIns",
"sourcetype": "o365:graph:api",
"splunk_server": "xxxxxxx",
"src": "xxx.xxx.xxx.xxx",
"src_ip": "xxx.xxx.xxx.xxx",
"status": "50126",
"status.additionalDetails": "The user didn't enter the right credentials. It's expected to see some number of these errors in your logs due to users making mistakes.",
"status.errorCode": "50126",
"status.failureReason": "Error validating credentials due to invalid username or password.",
"tag": [
"authentication",
"error"
],
"tag::eventtype": [
"authentication",
"error"
],
"timestamp": "none",
"user": "xxxx@xxxxxxxxxxxxxxxx.xxxxxxx.xxx",
"userDisplayName": "firstName LASTNAME",
"userId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"userPrincipalName": "xxxx@xxxxxxxxxxxxxxxx.xxxxxxx.xxx"
}
} Here it is, hope you can find something. Best Regards!
... View more