O365 “Logon Error” Incidents
There is a known issue where disabled users in Azure AD are appearing with successful logins in O365 Activities. However, the logins are actually failed logins but reported by Microsoft’s APIs as successful. Additional data in the Raw events Microsoft provides show a LogonError field which verifies the login was actually failed. To address this issue, whenever a UserLoggedIn event from Microsoft is paired with a LogonError in the Raw event data, Cloudlock will treat the login as failed. This may cause confusion as the Microsoft Raw event will still display UserLoggedIn in activities but the login is actually a failure, and will not produce incidents for policies monitoring successful logins.