25,101 questions
Hi @JamesTran-MSFT I am seeing this on SIEM platform that integrates with Office 365 using graph API and polls for Office 365 audit events.
Clarification on Azure Active Directory login event from Office 365
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 33%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Venkatesh
36
Reputation points
Hi,
Following is one of the audit events pertaining to 'logon successful' in Office 365 environment which is authenticated by Azure AD. Just trying to understand what does "Login:reprocess" in the RequestType mean here ? What kind of login has the user performed in this case ? It will be helpful if somebody can throw some light. I am a Cyber security engineer and it is important for me to understand the events so i can do the threat hunting.
{"CreationTime":"2020-08-12T06:14:31","Id":"#REMOVED","Operation":"UserLoggedIn","OrganizationId":"#REMOVED","RecordType":15,"ResultStatus":"Succeeded","UserKey":"#REMOVED","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"#REMOVED","ObjectId":"Unknown","UserId":"#REMOVED","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"},{"Name":"UserAuthenticationMethod","Value":"5"},{"Name":"RequestType","Value":"Login:reprocess"},{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"KeepMeSignedIn","Value":"False"}],"ModifiedProperties":[],"Actor":[{"ID":"#REMOVED","Type":0},{"ID":"#REMOVED","Type":5},{"ID":"#REMOVED","Type":3}],"ActorContextId":"#REMOVED","ActorIpAddress":"#REMOVED","InterSystemsId":"#REMOVED","IntraSystemId":"#REMOVED","SupportTicketId":"","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":"#REMOVED","ApplicationId":"#REMOVED"}
Note: I have replaced some of the sensitive content in the event with "#REMOVED"
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator2020-08-19T18:50:01.827+00:00 @Venkatesh
Thank you for your post! Are you able to provide a screenshot of where you're seeing this info:Is it within the O365 audit event logs?
Or are you seeing this within AzureAD under the Sign-in or Audit Logs blade?
Have you tried to reproduce this "Request Type value" with any other users?AzureAD:
Any additional info would be greatly appreciated.
Thank you for your time and patience! -
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
2020-08-21T16:03:59.437+00:00 @Venkatesh
I just wanted to check in and see if you needed any additional assistance or if you were able to find an answer to your question(s)?
Sign in to comment
2 answers
Sort by: Most helpful
-
Venkatesh 36 Reputation points
2020-09-02T12:23:26.537+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 6%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Ahmed, Ramy 0 Reputation points2024-01-28T14:03:19.5866667+00:00 Hi Venkatesh, have you found an answer to this? I am facing the same thing now
Sign in to comment -
-
MANDEEP KUMAR 0 Reputation points2024-04-23T17:06:03.4366667+00:00 Hi @Everyone,
I have analyzed a similar log from SIEM's o365 log source and looked into the parameter in question. Based on my research, the parameter "Login:reprocess" signifies that the user's session has expired. When the user attempts to access the application or service again, they are prompted to reauthenticate.
I would recommend checking for any associated logs and correlating them with the incident to gain further insights.
Security Analyst,
https://www.linkedin.com/in/mandeepkumarbanihall/