locked
Clarification on Azure Active Directory login event from Office 365 RRS feed

  • Question

  • Hi,

    Following is one of the audit events pertaining to 'logon successful' in Office 365 environment which is authenticated by Azure AD. Just trying to understand what does "Login:reprocess" in the RequestType mean here ? What kind of login has the user performed in this case ? It will be helpful if somebody can throw some light. I am a Cyber security engineer and it is important for me to understand the events so i can do the threat hunting.

    {"CreationTime":"2020-08-12T06:14:31","Id":"#REMOVED","Operation":"UserLoggedIn","OrganizationId":"#REMOVED","RecordType":15,"ResultStatus":"Succeeded","UserKey":"#REMOVED","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"#REMOVED","ObjectId":"Unknown","UserId":"#REMOVED","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"},{"Name":"UserAuthenticationMethod","Value":"5"},{"Name":"RequestType","Value":"Login:reprocess"},{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"KeepMeSignedIn","Value":"False"}],"ModifiedProperties":[],"Actor":[{"ID":"#REMOVED","Type":0},{"ID":"#REMOVED","Type":5},{"ID":"#REMOVED","Type":3}],"ActorContextId":"#REMOVED","ActorIpAddress":"#REMOVED","InterSystemsId":"#REMOVED","IntraSystemId":"#REMOVED","SupportTicketId":"","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":"#REMOVED","ApplicationId":"#REMOVED"}

    Note: I have replaced some of the sensitive content in the event with "#REMOVED"


    • Edited by Venki18 Thursday, August 13, 2020 12:33 PM
    Thursday, August 13, 2020 12:30 PM

All replies