Audit log shows multiple User was blocked warnings with the following description:
<Username> was blocked due to ten failed sign-in attempts
User agent: 'Faraday v0.9.2'
Audit log tab shows that the failed logins came from IP in datacenter-internal 10.x.x.x network.
When one checks the events in the Audit log tab in the Management console at the tenant level where the respective cloud login was blocked, one can see parts of the event payload like: