Add search for failed login attempts to Audit Log Search
Right now the audit log search allows for searching user sign-ins but not failed login attempts. This can be accessed by exporting the events but having that feature available in the search would make it more convenient to get an at-a-glance view of failed attempts and the IP addresses that are attempting to get access. This is not to say I don't trust Microsoft's ability to detect suspicious logins; it's more for our own situational awareness of where *********** attempts are coming from.
Embry Fedora commented
Meanwhile you can use this script to export failed login attempts alone. Also this script supports more advanced filtering options too.
- Allows you to filter the result based on successful and failed logon attempts.
- The exported report has IP addresses from where your office 365 users are login.
- This script can be executed with MFA enabled account.
- You can export the report to choose either “All Office 365 users’ login attempts” or “Specific Office user’s logon attempts”.
- By using advanced filtering options, you can export “Office 365 users Sign-in report” and “Suspicious login report”.
- Exports report result to CSV.
- This script is scheduler friendly. I.e., credentials can be passed as a parameter instead of saving inside the script.
- Our Logon history report tracks login events in AzureActiveDirectory (UserLoggedIn, UserLoginFailed), ExchangeOnline (MailboxLogin) and MicrosoftTeams (TeamsSessionStarted).
This is a must. If you have a perpetrator attacking you, one would like to see that all failed attempts are coming from one user.
Definitely something necessary for admins. I would rather know at the time of the attempts than have to deal with it retroactively.