Dec 05 2023 06:49 AM
Recently deployed a custom data connector that pulls logs from one of our BI tools. The logs contain who did what from what IP but that's about it. I like to have alerting for sign in's or activity coming from another country, problem here is "Location" isn't something the BI tool keeps record of outside of IP address.
My question is, what can I do to somehow get location from the IP's the logs do provide to create an alert for any out of country activity? Could I possibly setup something that looks at IP's from the last 7 days and alerts on new or anomalous IP's?
TIA
Dec 08 2023 07:59 AM
This is one idea (it shows you how to find the country from an IP address) and also how to see if any country want seen in the previous week
let week_ = SigninLogs
| where TimeGenerated between(startofday(ago(7d)) .. endofday(ago(2d)))
| where isnotempty(IPAddress)
| summarize count() by IPAddress
| extend LocationDetails = geo_info_from_ip_address(IPAddress)
| extend country = LocationDetails.country
| distinct tostring(country)
;
SigninLogs
| where TimeGenerated > ago(1d)
| where isnotempty(IPAddress)
| summarize count() by IPAddress
| extend LocationDetails = geo_info_from_ip_address(IPAddress)
| extend country = LocationDetails.country
| distinct tostring(country), IPAddress
| where country !in (week_) // only show countries Today that were not seen before
Dec 12 2023 12:15 PM