Generate Alert if Azure Successful Logon doesn't match list of IP Addresses

Comments

1 comment

  • Avatar
    James Rhodes

    Well, I have this so far, is there a better way to do the list of approved locations, or just keep adding to the where line?

     

    _sourceCategory = Office365 "\"Workload\":\"AzureActiveDirectory\"" (PasswordLogonInitialAuthUsingADFSFederatedToken or PasswordLogonInitialAuthUsingPassword or UserLoggedIn) (success or Succeeded)
    | json "Workload", "Operation", "ClientIP", "ResultStatus", "ObjectId", "UserId"
    | where Workload= "AzureActiveDirectory" and Operation in ("PasswordLogonInitialAuthUsingADFSFederatedToken", "PasswordLogonInitialAuthUsingPassword", "UserLoggedIn") and ResultStatus in ("success", "Succeeded")
    | count by ClientIP, UserID
    | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://location on ip = ClientIP
    | where city not in ("Memphis") and !compareCIDRPrefix("192.40.252.0", ClientIP, toInt(24))
    | count by clientIP, latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code, UserID
    | sort _count
    0
    Comment actions Permalink

Please sign in to leave a comment.