question

$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ asked vipulsparsh-MSFT answered

o365 login attempts to Sentinel SIEM

Using a KQL query how would someone pull login attempts to o365 from a user using the Sentinel SIEM? Logging in from the outside of an org into the Office.com portal?

I know the logs or login events are captured on MCAS - but id want to see more details in Sentinel.

microsoft-sentinel
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


I wanted to follow up and know if the below responses helped in answering your query. If it did, please do not forget to accept the appropriate response as Answer.

0 Votes 0 ·

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

Thanks for reaching out. You would need to add the Azure active directory connector in Azure Sentinel workspace. We collect the sign in Info in AAD logs.

79666-image.png

Once the logs are ingested which can take some time, there are inbuilt queries which you can modify to get just the office 365 portal logs.
That is denoted as Microsoft Office 365 Portal in Sign in reports.

So you can run a basic query which as basic as

SigninLogs
| where AppDisplayName == "Microsoft Office 365 Portal"
| take 100

Which will take the result from sign in logs table and show top 100 results. The query can be modified to any specific UPN, location or device as per need.
You can check few of the templates in AAD connector which has lots of sample queries inbuilt.





image.png (120.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.