<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">ActorContextId</span>
<span class="pill kill-chain">ActorIpAddress</span>
<span class="pill kill-chain">Actor{}.ID</span>
<span class="pill kill-chain">Actor{}.Type</span>
<span class="pill kill-chain">ApplicationId</span>
<span class="pill kill-chain">AzureActiveDirectoryEventType</span>
<span class="pill kill-chain">BrowserType</span>
<span class="pill kill-chain">ClientIP</span>
<span class="pill kill-chain">CreationTime</span>
<span class="pill kill-chain">DeviceProperties{}.Name</span>
<span class="pill kill-chain">DeviceProperties{}.Value</span>
<span class="pill kill-chain">ErrorNumber</span>
<span class="pill kill-chain">ExtendedProperties{}.Name</span>
<span class="pill kill-chain">ExtendedProperties{}.Value</span>
<span class="pill kill-chain">Id</span>
<span class="pill kill-chain">InterSystemsId</span>
<span class="pill kill-chain">IntraSystemId</span>
<span class="pill kill-chain">IsCompliantAndManaged</span>
<span class="pill kill-chain">LogonError</span>
<span class="pill kill-chain">OS</span>
<span class="pill kill-chain">ObjectId</span>
<span class="pill kill-chain">Operation</span>
<span class="pill kill-chain">OrganizationId</span>
<span class="pill kill-chain">RecordType</span>
<span class="pill kill-chain">RequestType</span>
<span class="pill kill-chain">ResultStatus</span>
<span class="pill kill-chain">ResultStatusDetail</span>
<span class="pill kill-chain">SupportTicketId</span>
<span class="pill kill-chain">TargetContextId</span>
<span class="pill kill-chain">Target{}.ID</span>
<span class="pill kill-chain">Target{}.Type</span>
<span class="pill kill-chain">UserAgent</span>
<span class="pill kill-chain">UserAuthenticationMethod</span>
<span class="pill kill-chain">UserId</span>
<span class="pill kill-chain">UserKey</span>
<span class="pill kill-chain">UserType</span>
<span class="pill kill-chain">Version</span>
<span class="pill kill-chain">Workload</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">authentication_method</span>
<span class="pill kill-chain">authentication_service</span>
<span class="pill kill-chain">command</span>
<span class="pill kill-chain">dataset_name</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_name</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">event_type</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">object</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">reason</span>
<span class="pill kill-chain">record_type</span>
<span class="pill kill-chain">result</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_agent</span>
<span class="pill kill-chain">user_type</span>
<span class="pill kill-chain">vendor_account</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: O365 UserLoginFailed
Description
Logs failed login attempts by users in Microsoft 365, including details about the user account, IP address, and reason for failure.
Details
| Property | Value |
|---|---|
| Source | o365 |
| Sourcetype | o365:management:activity |
| Separator | Operation |
Related Detections
Supported Apps
- Splunk Add-on for Microsoft Office 365 (version 5.1.0)
Event Fields
Fields
Example Log
1{"CreationTime": "2023-10-10T17:08:65", "Id": "4593aac8-855f-4341-9d2a-4289146eb800", "Operation": "UserLoginFailed", "OrganizationId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc", "RecordType": 15, "ResultStatus": "Failed", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "52.3.21.4", "ObjectId": "Unknown", "UserId": "user30@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "UserError"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "OAuth2:Token"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "user30@contoso.onmicrosoft.com", "Type": 5}], "ActorContextId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc", "ActorIpAddress": "52.3.21.4", "InterSystemsId": "97e59adc-b4be-4ea6-8f17-b46677242190", "IntraSystemId": "eeeba3a0-c619-437a-9879-3dd009f9bf00", "SupportTicketId": "", "Target": [{"ID": "Unknown", "Type": 0}], "TargetContextId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc", "ApplicationId": "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223", "DeviceProperties": [{"Name": "OS", "Value": "Windows10"}, {"Name": "BrowserType", "Value": "Chrome"}, {"Name": "IsCompliantAndManaged", "Value": "False"}], "ErrorNumber": "50126", "LogonError": "InvalidUserNameOrPassword"}
Required Output Fields
-
dest
-
user
-
src
-
vendor_account
-
vendor_product
Source: GitHub | Version: 2