blog.icewolf.ch

Let's talk about IT!
posts - 2204, comments - 295, trackbacks - 0

My Links

Archives

Post Categories

icewolf

Analyze Azure Active Directory Sign-in Location

Hi All,

Azure Active Directory Sign-in Logs is really helpful, when analyzing Sign-in Problems.

But it also can be very helpful, when analyzing the overall Sign-ins or looking out for strange behavior.
One of the Tips would be th Filter for Location and use the CountryCode and Status of Sucess


I have set up Azure Active Directory Diagnostics to save the Sign-In Logs to a LogAnalytics Workspace.
Here you can Query the Logs with KQL. Let's search for Logins that come from Outside Switzerland.

SigninLogs
| where TimeGenerated > ago(30d)
| where LocationDetails.countryOrRegion <> "CH"
//| where Status.errorCode <> "0" //Not Sucessful Logins
| project UserPrincipalName, Status.errorCode, Status.failureReason,AppDisplayName, ResourceDisplayName, LocationDetails.countryOrRegion



It's worht mentioning that there are also some predefined Workbooks available


"Sign-ins" will give you an overview and also a Heatmap


"Sign-In Analysis (Preview AAD & AD FS)" will extend that to the Federation Services.



If you want to go further, you can create Workbooks created by others. Here's one Example

How to use Azure Sentinel to follow a Users travel and map their location

Regards
Andres Bohren


Print | posted on Thursday, May 26, 2022 8:12 AM | Filed Under [ Security Azure ]

Powered by:
Powered By Subtext Powered By ASP.NET