Lab 3 - Azure AD Geo location of User Logins
You want to want to see where your users are logging into from across the world, so you can quickly identify where users are logging in and ensure they are logging in from proper geo locations. You will learn and use the Geo Lookup functionality for this exercise. The Geo Lookup function will allow you to convert the IP address into information about the location of the IP Address.
Create the Active Directory Geo Location of Login Activity query.
-
Create a new log search query, looking at log data for the last 24 hours and select the Azure Active Directory (AD) as your source category. Your query will look like this:
_sourceCategory="Labs/Azure/AD"
Parse the following fields from the JSON as we will need this information for our query.
Field | How we want to reference this field |
time | event_time |
identity | actor |
operationName | event_type |
callerIPAddress | callerIpAddress |
resultType | result |
- Your query should look like this:
_sourceCategory="Labs/Azure/AD" //!"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"
| json field=_raw "time" as event_time
| json field=_raw "identity" as actor
| json field=_raw "operationName" as event_type
| json field=_raw "callerIpAddress"
| json field=_raw "resultType" as result -
You want to view only those results where actor and event_type are not empty and well as the event_type is "Sign in activity"
-
Now we want to use the lookup command to view the latitude, longitude, country_name, city and region. Your query should now look like this:
_sourceCategory="Labs/Azure/AD" //!"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"
| json field=_raw "time" as event_time
| json field=_raw "identity" as actor
| json field=_raw "operationName" as event_type
| json field=_raw "callerIpAddress"
| json field=_raw "resultType" as result
| where !isEmpty(actor)
| where !isEmpty(event_type)
| where event_type = "Sign-in activity"
| lookup latitude,longitude,country_name,city,region from geo://location on ip=callerIpAddress -
Lets count by actor, caller IP address, latitude, longitude, country_name, and event type. Your final query should look like this:
_sourceCategory="Labs/Azure/AD" //!"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"
| json field=_raw "time" as event_time
| json field=_raw "identity" as actor
| json field=_raw "operationName" as event_type
| json field=_raw "callerIpAddress"
| json field=_raw "resultType" as result
| where !isEmpty(actor)
| where !isEmpty(event_type)
| where event_type = "Sign-in activity"
| lookup latitude,longitude,country_name,city,region from geo://location on ip=callerIpAddress
| count by actor,calleripaddress,latitude,longitude,country_name,event_type -
Also let's change the aggregate data to display a Map. Look for the Map icon
on the aggregates toolbar.
-
Now you have the data we want that you want to add to our existing dashboard. Let's add this to the dashboard you created in Exercise 3 by clicking the Add to Dashboard button in the aggregates tab. Your dashboard should look like this: