Skip to main content
Sumo Logic

Lab 3 - Azure AD Geo location of User Logins

Explore the functionality of using location data and use the Lookup command to lookup geographical information based on an IP Address.

You want to want to see where your users are logging into from across the world, so you can quickly identify where users are logging in and ensure they are logging in from proper geo locations.   You will learn and use the Geo Lookup functionality for this exercise.  The Geo Lookup function will allow you to convert the IP address into information about the location of the IP Address.  

Create the Active Directory Geo Location of Login Activity query.

 

  1. Create a new log search query,  looking at log data for the last 24 hours and select the Azure Active Directory (AD) as your source category.  Your query will look like this:

_sourceCategory="Labs/Azure/AD"

Parse the following fields from the JSON as we will need this information for our query.  
 

Field How we want to reference this field
time event_time
identity actor
operationName event_type
callerIPAddress callerIpAddress
resultType result
  1.   Your query should look like this: 
    _sourceCategory="Labs/Azure/AD" //!"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"
    | json field=_raw "time" as event_time
    | json field=_raw "identity" as actor
    | json field=_raw "operationName" as event_type
    | json field=_raw "callerIpAddress"
    | json field=_raw "resultType" as result
  2. You want to view only those results where actor and event_type are not empty and well as the event_type is "Sign in activity"

  3. Now we want to use the lookup command to view the latitude, longitude, country_name, city and region.  Your query should now look like this:
    _sourceCategory="Labs/Azure/AD" //!"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"
    | json field=_raw "time" as event_time
    | json field=_raw "identity" as actor
    | json field=_raw "operationName" as event_type
    | json field=_raw "callerIpAddress"
    | json field=_raw "resultType" as result
    | where !isEmpty(actor)
    | where !isEmpty(event_type)
    | where event_type = "Sign-in activity"
    | lookup latitude,longitude,country_name,city,region from geo://location on ip=callerIpAddress

  4. Lets count by actor, caller IP address, latitude, longitude, country_name, and event type.  Your final query should look like this: 
    _sourceCategory="Labs/Azure/AD" //!"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"
    | json field=_raw "time" as event_time
    | json field=_raw "identity" as actor
    | json field=_raw "operationName" as event_type
    | json field=_raw "callerIpAddress"
    | json field=_raw "resultType" as result
    | where !isEmpty(actor)
    | where !isEmpty(event_type)
    | where event_type = "Sign-in activity"
    | lookup latitude,longitude,country_name,city,region from geo://location on ip=callerIpAddress
    | count by actor,calleripaddress,latitude,longitude,country_name,event_type

  5. Also let's change the aggregate data to display a Map.  Look for the Map icon clipboard_e3604c887fd146f6a2dd644e5eed017a5.png on the aggregates toolbar.

  6. Now you have the data we want that you want to add to our existing dashboard.  Let's add this to the dashboard you created in Exercise 3 by clicking the Add to Dashboard button in the aggregates tab. Your dashboard should look like this: clipboard_e9bbfdc0ff22bac05ea3256035dee4268.png