We’re having an issue in our tenant where multiple customers are having many consecutive failed logins and this is causing the IP shield to activate - blocking their IP for a limited time by design.
I suspect that one case is a legitimate school where too many students tried a wrong password.
Another case is a malicious attempt to confirm hundreds of different purchased email/password combinations where 100% of attempts fail, as they are trying to get a single users successful login. This will also trigger the IP shield which is good.
Today in our tenant we have both of these cases, concurrently.
But because of the filtering options in the log field, I know the IP of the malicious case, but I still need to see logs for other events with blocked ip where the ip is NOT the malicious one.
How can I query that?
According to the query docs I should be able to use
- Operators (AND, OR, NOT) work on all searchable fields.
But when I try to query for
ip:NOT"188.8.131.52" (Where that is the malicious IP I do not want in the results), it doesn’t work.
I am already using the Filter to only show the events Blocked IP Address but still there are too many and the view doesn’t show the IP address until you open a specific log.