Office 365 UserLoggedIn Event Discrepancy

When using the AlienApp for Office 365, you may see successful login events when the user actually fails to log in. For example:

This is not a mistake in the AlienApp, but rather the data USM Anywhere receives from Microsoft Office 365, which appears to be by design. When examining the raw log for this event, notice that the ResultStatusDetail (mapped to Event Outcome) shows Success while the LogonError (mapped to Audit Reason) shows UserAccountNotFound:

{

"CreationTime": "2020-01-03T04:20:32",

"Operation": "UserLoggedIn",

"ResultStatus": "Succeeded",

"ExtendedProperties": {

"FlowTokenScenario": "Login",

"RequestType": "Login:login",

"ResultStatusDetail": "Success"

},

"Target": [

{

"ID": "Unknown",

"Type": 0

}

],

"TargetContextId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

"LogonError": "UserAccountNotFound"

}

AT&T Cybersecurity has seen similar issues reported in different communities, including the Microsoft community. Unfortunately, there is no clear answer on what has caused the discrepancy. Since Office 365 uses Microsoft Azure Active Directory (AD) to authenticate users, a possible explanation exists that the user accounts are not synchronized. See the Microsoft documentation to understand the relationship between Office 365 and Azure AD.

Because of this discrepancy, to construct a list of truly successful login events in USM Anywhere, you need to filter for UserLoggedIn events with an empty Audit Reason field. For example: